ouvaton.coop. does not validate: bogus proof of DS non-existence
% dig A existrans.org
; <<>> DiG 9.10.3-P4-Debian <<>> A existrans.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 44984
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;existrans.org. IN A
;; Query time: 127 msec
;; SERVER: 192.168.2.254#53(192.168.2.254)
;; WHEN: Sun Oct 22 08:59:12 UTC 2017
;; MSG SIZE rcvd: 31
With +cd, it works, as if it was a DNSSEC problem:
% dig +cd A existrans.org
; <<>> DiG 9.10.3-P4-Debian <<>> +cd A existrans.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22396
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;existrans.org. IN A
;; ANSWER SECTION:
existrans.org. 234 IN A 194.36.166.10
;; Query time: 0 msec
;; SERVER: 192.168.2.254#53(192.168.2.254)
;; WHEN: Sun Oct 22 08:59:16 UTC 2017
;; MSG SIZE rcvd: 58
But the domain is not signed, and never was, according to DNSDB.
So, the SERVFAIL is clearly spurious.
The only issue I see in the domain is that the NS set in the delegation is not the same as in the zone (I ping the zonemaster). But both sets are managed by the same organisation.
kresd --version
Knot DNS Resolver, version 1.3.3
(On a Turris Omnia)