opt-out validation problems
(Moved out of a different issue.)
Running kdig @::1 -p 5353 ns10.univie.ac.at
after clearing cache returns SERVFAIL:
[plan] plan 'ns10.univie.ac.at.' type 'A'
[resl] => using root hints
[plan] plan '.' type 'DNSKEY'
[resl] => querying: '2001:dc3::35' score: 10 zone cut: '.' m12n: '.' type: 'DNSKEY' proto: 'udp'
[iter] <= rcode: NOERROR
[vldr] <= parent: updating DNSKEY
[vldr] <= answer valid, OK
[resl] <= server: '2001:dc3::35' rtt: 30 ms
[resl] => querying: '202.12.27.33' score: 10 zone cut: '.' m12n: 'AT.' type: 'NS' proto: 'udp'
[resl] => querying: '2001:500:9f::42' score: 10 zone cut: '.' m12n: 'AT.' type: 'NS' proto: 'udp'
[iter] <= using glue for 'j.ns.at.'
[iter] <= using glue for 'ns1.univie.ac.at.'
[iter] <= using glue for 'ns9.univie.ac.at.'
[iter] <= using glue for 'n.ns.at.'
[iter] <= using glue for 'r.ns.at.'
[iter] <= using glue for 'u.ns.at.'
[iter] <= using glue for 'd.ns.at.'
[iter] <= using glue for 'ns2.univie.ac.at.'
[iter] <= referral response, follow
[vldr] <= DS: OK
[vldr] <= answer valid, OK
[resl] <= server: '202.12.27.33' rtt: 286 ms
[resl] <= server: '2001:500:9f::42' rtt: >=36 ms
[plan] plan 'at.' type 'DNSKEY'
[resl] => querying: '2001:678:d::cafe' score: 10 zone cut: 'at.' m12n: 'AT.' type: 'DNSKEY' proto: 'udp'
[iter] <= rcode: NOERROR
[vldr] <= parent: updating DNSKEY
[vldr] <= answer valid, OK
[resl] <= server: '2001:678:d::cafe' rtt: 5 ms
[resl] => querying: '2001:678:1c::2' score: 10 zone cut: 'at.' m12n: 'AC.AT.' type: 'NS' proto: 'udp'
[iter] <= rcode: NOERROR
[iter] <= found cut, retrying with non-minimized name
[resl] <= server: '2001:678:1c::2' rtt: 15 ms
[resl] => querying: '2001:678:1c::2' score: 15 zone cut: 'at.' m12n: 'NS10.uNIvIe.ac.At.' type: 'A' proto: 'udp'
[iter] <= using glue for 'ns7.univie.ac.at.'
[iter] <= using glue for 'ns10.univie.ac.at.'
[iter] <= using glue for 'ns4.univie.ac.at.'
[iter] <= using glue for 'ns5.univie.ac.at.'
[iter] <= using glue for 'ns3.univie.ac.at.'
[iter] <= using glue for 'ns8.univie.ac.at.'
[iter] <= referral response, follow
[vldr] >< cut changed, needs revalidation
[resl] <= server: '2001:678:1c::2' rtt: 15 ms
[plan] plan 'univie.ac.at.' type 'DS'
[plan] plan 'ac.at.' type 'DS'
[resl] => querying: '2001:628:2030:4301::2' score: 10 zone cut: 'at.' m12n: 'aC.aT.' type: 'DS' proto: 'udp'
[iter] <= rcode: NOERROR
[vldr] <= can't prove NODATA due to optout, going insecure
[vldr] <= DS doesn't exist, going insecure
[vldr] <= parent: updating DS
[vldr] <= answer valid, OK
[ pc ] => answer cached for TTL=900
[resl] <= server: '2001:628:2030:4301::2' rtt: 15 ms
[resl] => querying: '2a02:568:281::130' score: 10 zone cut: 'ac.at.' m12n: 'UNIViE.Ac.at.' type: 'DS' proto: 'udp'
[iter] <= rcode: NOERROR
[ pc ] => answer cached for TTL=900
[resl] <= server: '2a02:568:281::130' rtt: 19 ms
[plan] plan 'univie.ac.at.' type 'DS'
[ pc ] => satisfied from cache
[iter] <= rcode: NOERROR
[vldr] <= bogus proof of DS non-existence
[resl] finished: 8, queries: 4, mempool: 49200 B
... and running the same immediately again succeeds:
[plan] plan 'ns10.univie.ac.at.' type 'A'
[plan] plan 'ac.at.' type 'DS'
[ pc ] => satisfied from cache
[iter] <= rcode: NOERROR
[vldr] <= DS doesn't exist, going insecure
[vldr] <= parent: updating DS
[vldr] <= answer valid, OK
[resl] => querying: '2a02:568:20:1::d' score: 10 zone cut: 'ac.at.' m12n: 'UNivIe.Ac.aT.' type: 'NS' proto: 'udp'
[iter] <= using glue for 'ns7.univie.ac.at.'
[iter] <= using glue for 'ns8.univie.ac.at.'
[iter] <= using glue for 'ns10.univie.ac.at.'
[iter] <= using glue for 'ns3.univie.ac.at.'
[iter] <= using glue for 'ns5.univie.ac.at.'
[iter] <= using glue for 'ns4.univie.ac.at.'
[iter] <= referral response, follow
[resl] <= server: '2a02:568:20:1::d' rtt: 19 ms
[resl] => querying: '2001:67c:133c::2' score: 10 zone cut: 'univie.ac.at.' m12n: 'NS10.UNIviE.Ac.At.' type: 'A' proto: 'udp'
[iter] <= using glue for 'ns5.univie.ac.at.'
[iter] <= using glue for 'ns3.univie.ac.at.'
[iter] <= using glue for 'ns4.univie.ac.at.'
[iter] <= using glue for 'ns10.univie.ac.at.'
[iter] <= using glue for 'ns8.univie.ac.at.'
[iter] <= using glue for 'ns7.univie.ac.at.'
[iter] <= rcode: NOERROR
[resl] <= server: '2001:67c:133c::2' rtt: 15 ms
[resl] finished: 4, queries: 2, mempool: 49200 B
This is on master; I tried on dns-oarc
branch but it looks the same. EDIT: it also looks the same on 1.0.0 (with knot-2.2.1).