I think there are at least 2 issues?
Unbound’s complaint about the negative records (causing it to return SERVFAIL) is clear enough, but i’m not certain what it means.
https://unboundtest.com/m/CAA/uren.acc.softenergy.nl/ZCEPTD4N
Oct 10 07:00:41 unbound[16994:0] debug: NODATA response failed to prove NODATA status with NSEC/NSEC3
Oct 10 07:00:41 unbound[16994:0] info: validate(nodata): sec_status_bogus
Someone correct me if i’m wrong, but i think it means the servers are returning the wrong hostname’s NSEC records?
$ dig +dnssec +cd uren.acc.softenergy.nl aaaa
; <<>> DiG 9.10.3-P4-Ubuntu <<>> +dnssec +cd uren.acc.softenergy.nl aaaa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48139
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;uren.acc.softenergy.nl. IN AAAA
;; AUTHORITY SECTION:
softenergy.nl. 2967 IN SOA ns1.metaregistrar.nl. beheer.metaregistrar.nl. 1 14400 3600 604800 3600
softenergy.nl. 2967 IN RRSIG SOA 8 2 86400 20171019000000 20170928000000 51508 softenergy.nl. DyNwhhs4SqCPQNxXkait1L88PlvfBjuZ5qq5JkmMvwyEi2W2MFrzfFtg L2+0Nl+9XvyxS/gPUdsz22lZB5WQPzBoqwdHUGuBAfMZYKVn3N4Y+WDu EqwuFbz6b4fjAOe077eBWsyd0AxjhQ8bJa8clZRAHeLhvYMfX5HJRzMg W9o=
softenergy.nl. 2967 IN NSEC crm.softenergy.nl. A NS SOA MX TXT RRSIG NSEC DNSKEY
softenergy.nl. 2967 IN RRSIG NSEC 8 2 3600 20171019000000 20170928000000 51508 softenergy.nl. biJ0D0cehbdKdw3tET3NoCJZoisfLYc8VUclLIKRof5aNUwTND3q62qH nBhb0R8szHIyuQ2wemFi/P9wtYIJGjwC7BZ90NfqlGz9LJxtf6mJMXmW C2qHlPx4nBIDAQvi5elUr9J8d4DXMtPDlA4NWh5oFLz7NJ55CoVjf8pB PHY=
;; Query time: 612 msec
;; SERVER: ::1#53(::1)
;; WHEN: Tue Oct 10 06:59:24 UTC 2017
;; MSG SIZE rcvd: 498
Versus, for example (real domain name substituted with example.com):
$ dig +dnssec www.example.com aaaa
; <<>> DiG 9.10.3-P4-Ubuntu <<>> +dnssec www.example.com aaaa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9534
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.example.com. IN AAAA
;; AUTHORITY SECTION:
example.com. 3601 IN SOA dns1.registrar-servers.com. hostmaster.registrar-servers.com. 2017100900 43200 3600 604800 3601
example.com. 3601 IN RRSIG SOA 8 2 3601 20171019000000 20170928000000 43171 example.com. ZOz+Cd4XiEfutqQhvCtQcQYhpodXsS4h7lFLE6gbEhexSpZ4CReLI1Ce EdEnTaWSgsR89Ms5VKFpCvppmj4+4Zf48dL3g4/+/W/FSA6DmKZuwwdK Yk33UUKh4jf1zpW3N2N/X/dy7SO7DkamIVet9617cCPggh3+C/Eybdxa 51k=
www.example.com. 3601 IN NSEC example.com. A RRSIG NSEC
www.example.com. 3601 IN RRSIG NSEC 8 3 3601 20171019000000 20170928000000 43171 example.com. e4AS2cbeXXSDDNJDvW0m2yjNii3FdYWKP2DoVODM8NUl02teT1B2RHjU XgIhV5GbYV7wIa/pFGUwVDGjGRWX9vEuBPJla49ZKmfjG4IQRNHnuEGA Z9AayomHMrD7GSFpFvVcH2wUjKmgRYz9TplL2Vc3r6MBgPy/sN/9zjKc UpU=
;; Query time: 15 msec
;; SERVER: ::1#53(::1)
;; WHEN: Tue Oct 10 07:02:38 UTC 2017
;; MSG SIZE rcvd: 492
Additionally, the nameservers incorrectly return NXDOMAIN for empty non-terminals (instead of NODATA NOERROR):
$ dig +dnssec acc.softenergy.nl
; <<>> DiG 9.10.3-P4-Ubuntu <<>> +dnssec acc.softenergy.nl
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 47369
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;acc.softenergy.nl. IN A
;; AUTHORITY SECTION:
softenergy.nl. 1912 IN SOA ns1.metaregistrar.nl. beheer.metaregistrar.nl. 1 14400 3600 604800 3600
softenergy.nl. 1912 IN RRSIG SOA 8 2 86400 20171019000000 20170928000000 51508 softenergy.nl. DyNwhhs4SqCPQNxXkait1L88PlvfBjuZ5qq5JkmMvwyEi2W2MFrzfFtg L2+0Nl+9XvyxS/gPUdsz22lZB5WQPzBoqwdHUGuBAfMZYKVn3N4Y+WDu EqwuFbz6b4fjAOe077eBWsyd0AxjhQ8bJa8clZRAHeLhvYMfX5HJRzMg W9o=
softenergy.nl. 1912 IN NSEC crm.softenergy.nl. A NS SOA MX TXT RRSIG NSEC DNSKEY
softenergy.nl. 1912 IN RRSIG NSEC 8 2 3600 20171019000000 20170928000000 51508 softenergy.nl. biJ0D0cehbdKdw3tET3NoCJZoisfLYc8VUclLIKRof5aNUwTND3q62qH nBhb0R8szHIyuQ2wemFi/P9wtYIJGjwC7BZ90NfqlGz9LJxtf6mJMXmW C2qHlPx4nBIDAQvi5elUr9J8d4DXMtPDlA4NWh5oFLz7NJ55CoVjf8pB PHY=
;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Tue Oct 10 07:16:59 UTC 2017
;; MSG SIZE rcvd: 493
If Let’s Encrypt runs Unbound with “harden-below-nxdomain: yes
” (unboundtest.com’s example configuration doesn’t) it can return NXDOMAIN for “uren.acc.softenergy.nl.
”.
http://dnsviz.net/d/uren.acc.softenergy.nl/WdxubA/dnssec/