[knot-dns-users] Re: Possible signing bug? Missing wildcard NSEC for RCODE 3 subdomains

I got a report of an NSEC error from someone who tried to connect to a mistyped hostname.  I've done a bit of poking, and it looks like we're seeing a missing wildcard NSEC for domain names that are two subdomains down from the apex, but not for subdomains of the apex.  Though, I admit I can't see the problem myself.  Querying by hand I see what looks like an identical response, but resolvers and DNSViz report problems with the deeper name. For example, nonexistent.dns-oarc.net <http://nonexistent.dns-oarc.net> and nonexistent.sjc.dns-oarc.net <http://nonexistent.sjc.dns-oarc.net> (sjc.dns-oarc.net <http://sjc.dns-oarc.net> is a real subdomain with hosts in it, not an ENT)... kdig output and DNSViz results below. We're running knot/unknown,now 3.3.5-cznic.1~bullseye from deb.knot-dns.cz <http://deb.knot-dns.cz>, and this is the relevant policy statement for the zone: policy:   - id: ecdsa     algorithm: ecdsap256sha256     ksk-lifetime: 365d     ksk-submission: parent_zone_sbm     zsk-lifetime: 30d     rrsig-lifetime: 14d     rrsig-refresh: 7d We are mid-KSK-roll, waiting on the DS submission check. Have I misconfigured something here, or is there a signing bug, or is this something else? Thanks!   Matt --- nonexistent.sjc.dns-oarc.net <http://nonexistent.sjc.dns-oarc.net>: DNSviz reports this is fine. <https://dnsviz.net/d/nonexistent.dns-oarc.net/ZfNH1w/dnssec/ <https://dnsviz.net/d/nonexistent.dns-oarc.net/ZfNH1w/dnssec/>> ;; ->>HEADER<<- opcode: QUERY; status: NXDOMAIN; id: 9380 ;; Flags: qr aa; QUERY: 1; ANSWER: 0; AUTHORITY: 6; ADDITIONAL: 1 ;; EDNS PSEUDOSECTION: ;; Version: 0; flags: do; UDP size: 1232 B; ext-rcode: NOERROR ;; QUESTION SECTION: ;; nonexistent.dns-oarc.net <http://nonexistent.dns-oarc.net>. IN A ;; AUTHORITY SECTION: dns-oarc.net <http://dns-oarc.net>.       3600 IN SOA ns1.dns-oarc.net <http://ns1.dns-oarc.net>. hostmaster.dns-oarc.net <http://hostmaster.dns-oarc.net>. 2024031400 300 60 604800 3600 nfsen.dns-oarc.net <http://nfsen.dns-oarc.net>. 3600 IN NSEC ns.dns-oarc.net <http://ns.dns-oarc.net>. A AAAA RRSIG NSEC dns-oarc.net <http://dns-oarc.net>.       3600 IN NSEC fs1.10g.dns-oarc.net <http://fs1.10g.dns-oarc.net>. A NS SOA MX TXT AAAA RRSIG NSEC DNSKEY CDS CDNSKEY CAA dns-oarc.net <http://dns-oarc.net>.       3600 IN RRSIG SOA 13 2 14400 20240328021935 20240314004935 6048 dns-oarc.net <http://dns-oarc.net>. [omitted] nfsen.dns-oarc.net <http://nfsen.dns-oarc.net>. 3600 IN RRSIG NSEC 13 3 3600 20240326215132 20240312202132 6048 dns-oarc.net <http://dns-oarc.net>. [omitted] dns-oarc.net <http://dns-oarc.net>.       3600 IN RRSIG NSEC 13 2 3600 20240322045130 20240308032130 6048 dns-oarc.net <http://dns-oarc.net>. [omitted] ;; Received 518 B ;; Time 2024-03-14 18:57:33 UTC ;; From 64.191.0.128@53(UDP) in 0.3 ms nonexistent.sjc.dns-oarc.net <http://nonexistent.sjc.dns-oarc.net>: resolvers and DNSViz report a missing wildcard NSEC <https://dnsviz.net/d/nonexistent.sjc.dns-oarc.net/ZfNH6w/dnssec/ <https://dnsviz.net/d/nonexistent.sjc.dns-oarc.net/ZfNH6w/dnssec/>> ;; ->>HEADER<<- opcode: QUERY; status: NXDOMAIN; id: 660 ;; Flags: qr aa; QUERY: 1; ANSWER: 0; AUTHORITY: 6; ADDITIONAL: 1 ;; EDNS PSEUDOSECTION: ;; Version: 0; flags: do; UDP size: 1232 B; ext-rcode: NOERROR ;; QUESTION SECTION: ;; nonexistent.sjc.dns-oarc.net <http://nonexistent.sjc.dns-oarc.net>. IN A ;; AUTHORITY SECTION: dns-oarc.net <http://dns-oarc.net>.       3600 IN SOA ns1.dns-oarc.net <http://ns1.dns-oarc.net>. hostmaster.dns-oarc.net <http://hostmaster.dns-oarc.net>. 2024031400 300 60 604800 3600 newmail.sjc.dns-oarc.net <http://newmail.sjc.dns-oarc.net>. 3600 IN NSEC pdu-7301.sjc.dns-oarc.net <http://pdu-7301.sjc.dns-oarc.net>. A AAAA RRSIG NSEC shin-cubes.dns-oarc.net <http://shin-cubes.dns-oarc.net>. 3600 IN NSEC an1.10g.sjc.dns-oarc.net <http://an1.10g.sjc.dns-oarc.net>. A AAAA RRSIG NSEC dns-oarc.net <http://dns-oarc.net>.       3600 IN RRSIG SOA 13 2 14400 20240328021935 20240314004935 6048 dns-oarc.net <http://dns-oarc.net>. [omitted] newmail.sjc.dns-oarc.net <http://newmail.sjc.dns-oarc.net>. 3600 IN RRSIG NSEC 13 4 3600 20240326215132 20240312202132 6048 dns-oarc.net <http://dns-oarc.net>. [omitted] shin-cubes.dns-oarc.net <http://shin-cubes.dns-oarc.net>. 3600 IN RRSIG NSEC 13 3 3600 20240326215132 20240312202132 6048 dns-oarc.net <http://dns-oarc.net>. [omitted] ;; Received 544 B ;; Time 2024-03-14 18:57:33 UTC ;; From 64.191.0.128@53(UDP) in 0.3 ms --