On Mar 15, 2024, at 11:47 AM, Matthew Pounsett
<matt(a)conundrum.com> wrote:
On Fri, Mar 15, 2024 at 6:03 AM libor.peltan <libor.peltan(a)nic.cz
<mailto:libor.peltan@nic.cz>> wrote:
I tried it by hand and indeed, the problem is solely at ultradns servers:
Looking at the output, there is a (redundant) NSEC proving the
non-existence of the wildcard *.dns-oarc.net <http://dns-oarc.net/>. instead(!):
dns-oarc.net <http://dns-oarc.net/>.
3600 IN NSEC
fs1.10g.dns-oarc.net
<http://fs1.10g.dns-oarc.net/>. A NS SOA MX TXT
AAAA RRSIG NSEC DNSKEY CDS CDNSKEY CA
This remind me of a similar issue that we have fixed in Knot DNS some
years ago, but I con't find it at the moment, it seems that what we have
fixed is wildcard answers in connection with CNAMEs/DNAMEs and stuff,
but not this straightforward situation...
In any case, you should probably tell UltraDNS to use recent versions of
whatever software they use.
I'm fairly sure they're still using their own in-house server software. I'll
report this to their support and see what happens.
We will investigate. Thanks for the heads-up!
dave
UltraDNS