Hi!
While testing deSEC Managed DNS hosting with a domain I noticed that DNSViz shows some errors related to NSEC3 TTLs. I checked this with your domain desec.org and similar errors where detected:
https://dnsviz.net/d/desec.org/X7U5xw/dnssec/?rr=all&a=all&ds=all&doe=on&red=on&ta=.&tk=
• RRSIG NSEC3 proving non-existence of 91grntqly6.desec.org/A alg 13, id 6697: The TTL of the RRset (3600) exceeds the value of the Original TTL field of the RRSIG RR covering it (300).
• RRSIG NSEC3 proving non-existence of desec.org/CNAME alg 13, id 6697: The TTL of the RRset (3600) exceeds the value of the Original TTL field of the RRSIG RR covering it (300).
Is this an error with DNSViz or is deSEC doing something wrong?
Note: It is not easy to check NSEC3 RRs using normal tools like dig(1). I tried the following but saw no TTL inconsistencies:
$ dig +dnssec +multi @ns1.desec.io _no_such_subdomain.desec.org A
; <<>> DiG 9.8.3-P1 <<>> +dnssec +multi @ns1.desec.io _no_such_subdomain.desec.org A
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52806
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;_no_such_subdomain.desec.org. IN A
;; ANSWER SECTION:
_no_such_subdomain.desec.org. 3600 IN RRSIG A 13 2 3600 20201126000000 (
20201105000000 6697 desec.org.
V064CVFMcMx6pSQYvX8VHym/NlfkfbRkDdmWmFVdcznv
iriOKqL7fyzgbyKUqXBEusfHuwfL7KFRYJnW9GyHoA== )
_no_such_subdomain.desec.org. 3600 IN A 88.99.107.170
;; AUTHORITY SECTION:
dtcqnj8ttpd5ssq8lit9lv3f9pul2hkg.desec.org. 3600 IN NSEC3 1 0 127 A34673C73342DA53 J7V5VHNN5R6P5OIOLLCUHIA31E1F0KTP A RRSIG
dtcqnj8ttpd5ssq8lit9lv3f9pul2hkg.desec.org. 3600 IN RRSIG NSEC3 13 3 300 20201126000000 (
20201105000000 6697 desec.org.
ydzr63BSQHiPUlsgyCRc0nLcX70osh5m9Z/PZI7Mv2kx
A4pnxB0nE2cusqUyGe0rl5xRv1aC1NQAzz8qB2JfWw== )
;; Query time: 19 msec
;; SERVER: 45.54.76.1#53(45.54.76.1)
;; WHEN: Wed Nov 18 16:19:46 2020
;; MSG SIZE rcvd: 370
$
(It seems there is a wildcard entry for desec.org A as no matter what subdomain I use I always get the answer 88.99.107.170. But the authority section shows an NSEC3 record and its RRSIG at least.)
BTW: If someone knows a good way to directly read NSEC3 records (and the RRSIG NSEC3) I’d be grateful for a hint
Thanks!
fiwswe