DNSSEC error for gma.vmathlive.com but DNSViz says domain is OK
Hi,
I am investigating an issue with gma.vmathlive.com
domain. Knot resolver states there is a [dnssec] validation error for this domain, but when I am trying to debug this using DNSViz, it seems like the DNSSEC is ok.
I am getting this resolution log from Knot resolver:
[iterat][66078.00] 'gma.vmathlive.com.' type 'AAAA' new uid was assigned .01, parent uid .00
[cache ][66078.01] => no NSEC* cached for zone: com.
[cache ][66078.01] => skipping zone: com., NSEC, hash 0;new TTL -123456789, ret -2
[cache ][66078.01] => skipping zone: com., NSEC, hash 0;new TTL -123456789, ret -2
[zoncut][66078.01] found cut: com. (rank 002 return codes: DS 0, DNSKEY 0)
[select][66078.01] => id: '43261' choosing from addresses: 13 v4 + 0 v6; names to resolve: 0 v4 + 0 v6; force_resolve: 0; NO6: IPv6 is OK
[select][66078.01] => id: '43261' choosing: 'b.gtld-servers.net.'@'192.33.14.30#00053' with timeout 26 ms zone cut: 'com.'
[resolv][66078.01] => id: '43261' querying: 'b.gtld-servers.net.'@'192.33.14.30#00053' zone cut: 'com.' qname: 'VmAThlIvE.coM.' qtype: 'NS' proto: 'udp'
[select][66078.01] => id: '43261' updating: 'b.gtld-servers.net.'@'192.33.14.30#00053' zone cut: 'com.' with rtt 3 to srtt: 6 and variance: 3
[iterat][66078.01] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 43261
;; Flags: qr cd QUERY: 1; ANSWER: 0; AUTHORITY: 6; ADDITIONAL: 3
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 4096 B; ext-rcode: Unused
;; QUESTION SECTION
vmathlive.com. NS
;; AUTHORITY SECTION
vmathlive.com. 172800 NS ns1.cambiumlearning.com.
vmathlive.com. 172800 NS ns2.cambiumlearning.com.
vmathlive.com. 86400 DS 38134 13 4 DC5F0BEA08FB6D643D89D74A14EDCD210C085E3B6782B9782FEE91BB66A76A83B4181774E0723461AC9B6F18C402C447
vmathlive.com. 86400 DS 38134 13 2 1BA1023E142BCB7B0F7CB6AC4C00771D100F326AC905DAC6074E41AFB25D7870
vmathlive.com. 86400 DS 38134 13 1 902FF916A6140AA401A187EEBDBD636EDFA7EFB1
vmathlive.com. 86400 RRSIG DS 8 2 86400 1677479970 1676870970 36739 com. vOM/iMztbhiYHxhbkI/Yf4t5OWquuKD8OscNNjsapaQ7qruzuAahkk7pD63I1sq+vM62+LvNW1hbK3hWkvqL6yzVPuoNu3fDn/WcxEEn4Kun1/kz2n3PEWdU1jgMnh3WpmzyAmMq33AagPtQT6AvA0hPAoH7nKr7TT+xlh1G9bpI7KFgl3AvMf2xq3N48JwhvxDf/jJx3yhx/xyOz3Hxsw==
;; ADDITIONAL SECTION
ns1.cambiumlearning.com. 172800 A 66.248.224.140
ns2.cambiumlearning.com. 172800 A 50.238.167.169
[iterat][66078.01] <= loaded 2 glue addresses
[iterat][66078.01] <= referral response, follow
[valdtr][66078.01] <= DS: OK
[valdtr][66078.01] <= answer valid, OK
[cache ][66078.01] => stashed vmathlive.com. DS, rank 060, 318 B total, incl. 1 RRSIGs
[cache ][66078.01] => stashed vmathlive.com. NS, rank 002, 70 B total, incl. 0 RRSIGs
[cache ][66078.01] => stashed also 2 nonauth RRsets
[iterat][66078.01] 'gma.vmathlive.com.' type 'AAAA' new uid was assigned .02, parent uid .00
[plan ][66078.02] plan 'vmathlive.com.' type 'DNSKEY' uid [66078.03]
[iterat][66078.03] 'vmathlive.com.' type 'DNSKEY' new uid was assigned .04, parent uid .02
[cache ][66078.04] => no NSEC* cached for zone: vmathlive.com.
[cache ][66078.04] => skipping zone: vmathlive.com., NSEC, hash 0;new TTL -123456789, ret -2
[cache ][66078.04] => skipping zone: vmathlive.com., NSEC, hash 0;new TTL -123456789, ret -2
[select][66078.04] => id: '18904' choosing from addresses: 2 v4 + 0 v6; names to resolve: 0 v4 + 0 v6; force_resolve: 0; NO6: IPv6 is OK
[select][66078.04] => id: '18904' choosing: 'ns1.cambiumlearning.com.'@'66.248.224.140#00053' with timeout 400 ms zone cut: 'vmathlive.com.'
[resolv][66078.04] => id: '18904' querying: 'ns1.cambiumlearning.com.'@'66.248.224.140#00053' zone cut: 'vmathlive.com.' qname: 'vmatHLiVe.Com.' qtype: 'DNSKEY' proto: 'udp'
[select][66078.04] => id: '18904' updating: 'ns1.cambiumlearning.com.'@'66.248.224.140#00053' zone cut: 'vmathlive.com.' with rtt 133 to srtt: 133 and variance: 66
[iterat][66078.04] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 18904
;; Flags: qr aa QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 1232 B; ext-rcode: Unused
;; QUESTION SECTION
vmathlive.com. DNSKEY
;; ANSWER SECTION
vmathlive.com. 3600 RRSIG DNSKEY 13 2 3600 1677715200 1675900800 38134 vmathlive.com. LGEYXMp94nHpWX1vx7RaIFevV80jc/pOWub8+zkDq+ZnFnZ21KsiTiNwdGXdmDcjfS/DmzbYmQ1uk0PDPkTM8Q==
vmathlive.com. 3600 DNSKEY 257 3 13 WOWG2N+2P72hJS7k0mvEbOFNyo/d7qIa5qb2Kyj0oYz65nPhOIxZ8sc/1C3qAVINMyrOyOK2LtHsjg8sA7pr5Q==
;; ADDITIONAL SECTION
[iterat][66078.04] <= rcode: NOERROR
[valdtr][66078.04] <= parent: updating DNSKEY
[valdtr][66078.04] <= answer valid, OK
[cache ][66078.04] => stashed vmathlive.com. DNSKEY, rank 060, 184 B total, incl. 1 RRSIGs
[iterat][66078.02] 'gma.vmathlive.com.' type 'AAAA' new uid was assigned .05, parent uid .00
[select][66078.05] => id: '20059' choosing from addresses: 2 v4 + 0 v6; names to resolve: 0 v4 + 0 v6; force_resolve: 0; NO6: IPv6 is OK
[select][66078.05] => id: '20059' choosing: 'ns2.cambiumlearning.com.'@'50.238.167.169#00053' with timeout 400 ms zone cut: 'vmathlive.com.'
[resolv][66078.05] => id: '20059' querying: 'ns2.cambiumlearning.com.'@'50.238.167.169#00053' zone cut: 'vmathlive.com.' qname: 'Gma.VMaTHLIve.cOM.' qtype: 'AAAA' proto: 'udp'
[select][66078.05] => id: '20059' updating: 'ns2.cambiumlearning.com.'@'50.238.167.169#00053' zone cut: 'vmathlive.com.' with rtt 109 to srtt: 109 and variance: 54
[iterat][66078.05] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 20059
;; Flags: qr aa QUERY: 1; ANSWER: 0; AUTHORITY: 4; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 1232 B; ext-rcode: Unused
;; QUESTION SECTION
gma.vmathlive.com. AAAA
;; AUTHORITY SECTION
vmathlive.com. 300 SOA ns1.cambiumlearning.com. hostmaster.cambiumlearning.com. 2022082611 10800 3600 604800 3600
vmathlive.com. 300 RRSIG SOA 13 2 300 1677715200 1675900800 38134 vmathlive.com. Kd4huzuDTm2sR0FffNa6Cv5bu7hcaQhzaV9seqiL0HfoZ+XdWCf0B7s7/k5bxnVQPuOb1jUAMa7ncCXXB/L3nw==
vmathlive.com. 300 NSEC vmathlive.com. A NS SOA RRSIG NSEC DNSKEY
vmathlive.com. 300 RRSIG NSEC 13 2 300 1677715200 1675900800 38134 vmathlive.com. 5lT1gBZAZ3h1C0uRU6TeK3IgRTpxmZttV4ahGbrRPnipMdHrN9B+PQK3Jd0v5jjwgTdcsiOpK6c8tMyRdR3+Fg==
;; ADDITIONAL SECTION
[iterat][66078.05] <= rcode: NOERROR
[valdtr][66078.05] <= bad NODATA proof
[select][66078.05] => id: '20059' noting selection error: 'ns2.cambiumlearning.com.'@'50.238.167.169#00053' zone cut: 'vmathlive.com.' error: 14 DNSSEC_ERROR
[cache ][66078.05] => stashed vmathlive.com. NSEC, rank 060, 140 B total, incl. 1 RRSIGs
[cache ][66078.05] => stashed vmathlive.com. SOA, rank 060, 194 B total, incl. 1 RRSIGs
[cache ][66078.05] => nsec_p stashed for vmathlive.com. (new, hash: 0)
[cache ][66078.05] => stashed packet: rank 025, TTL 300, AAAA gma.vmathlive.com. (379 B)
[iterat][66078.05] 'gma.vmathlive.com.' type 'AAAA' new uid was assigned .06, parent uid .00
[select][66078.06] => id: '33899' choosing from addresses: 1 v4 + 0 v6; names to resolve: 0 v4 + 0 v6; force_resolve: 0; NO6: IPv6 is OK
[select][66078.06] => id: '33899' choosing: 'ns1.cambiumlearning.com.'@'66.248.224.140#00053' with timeout 397 ms zone cut: 'vmathlive.com.'
[resolv][66078.06] => id: '33899' querying: 'ns1.cambiumlearning.com.'@'66.248.224.140#00053' zone cut: 'vmathlive.com.' qname: 'GmA.VmaTHlIVE.Com.' qtype: 'AAAA' proto: 'udp'
[select][66078.06] => id: '33899' updating: 'ns1.cambiumlearning.com.'@'66.248.224.140#00053' zone cut: 'vmathlive.com.' with rtt 126 to srtt: 132 and variance: 51
[iterat][66078.06] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 33899
;; Flags: qr aa QUERY: 1; ANSWER: 0; AUTHORITY: 4; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 1232 B; ext-rcode: Unused
;; QUESTION SECTION
gma.vmathlive.com. AAAA
;; AUTHORITY SECTION
vmathlive.com. 300 SOA ns1.cambiumlearning.com. hostmaster.cambiumlearning.com. 2022082611 10800 3600 604800 3600
vmathlive.com. 300 RRSIG SOA 13 2 300 1677715200 1675900800 38134 vmathlive.com. tua7ePdyjjRyyRDyr3gdankU7Xz2QUVOgfbErT6ssGtxGhLueKj8TLy3fgdkAZlsUtLTQoHParWTek6wc3ccSg==
vmathlive.com. 300 NSEC vmathlive.com. A NS SOA RRSIG NSEC DNSKEY
vmathlive.com. 300 RRSIG NSEC 13 2 300 1677715200 1675900800 38134 vmathlive.com. wbGfikMJDqGkfDCn+7XQX7leUDIoAfYwZRtA0yysmg0MDJNFi7Cn6sw1He+JlWkX7zX2Vsk2oNhQE7a+u5fZNA==
;; ADDITIONAL SECTION
[iterat][66078.06] <= rcode: NOERROR
[valdtr][66078.06] <= bad NODATA proof
[select][66078.06] => id: '33899' noting selection error: 'ns1.cambiumlearning.com.'@'66.248.224.140#00053' zone cut: 'vmathlive.com.' error: 14 DNSSEC_ERROR
[cache ][66078.06] => stashed vmathlive.com. NSEC, rank 060, 140 B total, incl. 1 RRSIGs
[cache ][66078.06] => stashed vmathlive.com. SOA, rank 060, 194 B total, incl. 1 RRSIGs
[cache ][66078.06] => nsec_p stash for vmathlive.com. skipped (extra TTL: 0, hash: 0)
[cache ][66078.06] => not overwriting AAAA gma.vmathlive.com.
[iterat][66078.06] 'gma.vmathlive.com.' type 'AAAA' new uid was assigned .07, parent uid .00
[select][66078.07] => id: '57610' choosing from addresses: 0 v4 + 0 v6; names to resolve: 0 v4 + 0 v6; force_resolve: 0; NO6: IPv6 is OK
[select][66078.07] => id: '57610' no suitable transport, zone cut: 'vmathlive.com.'
[iterat][66078.07] 'gma.vmathlive.com.' type 'AAAA' new uid was assigned .08, parent uid .00
[select][66078.08] => id: '47107' choosing from addresses: 0 v4 + 0 v6; names to resolve: 0 v4 + 0 v6; force_resolve: 0; NO6: IPv6 is OK
[select][66078.08] => id: '47107' no suitable transport, zone cut: 'vmathlive.com.'
[resolv][66078.00] request failed, answering with empty SERVFAIL
[resolv][66078.08] finished in state: 8, queries: 2, mempool: 98352 B
;; selected from ANSWER sections:
; ranked rrset to_wire false, rank 060 (auth secure), cached true, qry_uid 4, revalidations 0
vmathlive.com. 3600 RRSIG DNSKEY 13 2 3600 1677715200 1675900800 38134 vmathlive.com. LGEYXMp94nHpWX1vx7RaIFevV80jc/pOWub8+zkDq+ZnFnZ21KsiTiNwdGXdmDcjfS/DmzbYmQ1uk0PDPkTM8Q==
; ranked rrset to_wire false, rank 060 (auth secure), cached true, qry_uid 4, revalidations 0
vmathlive.com. 3600 DNSKEY 257 3 13 WOWG2N+2P72hJS7k0mvEbOFNyo/d7qIa5qb2Kyj0oYz65nPhOIxZ8sc/1C3qAVINMyrOyOK2LtHsjg8sA7pr5Q==
;; selected from AUTHORITY sections:
; ranked rrset to_wire false, rank 002 (try), cached true, qry_uid 1, revalidations 0
vmathlive.com. 3600 NS ns1.cambiumlearning.com.
vmathlive.com. 3600 NS ns2.cambiumlearning.com.
; ranked rrset to_wire false, rank 060 (auth secure), cached true, qry_uid 1, revalidations 0
vmathlive.com. 3600 DS 38134 13 1 902FF916A6140AA401A187EEBDBD636EDFA7EFB1
vmathlive.com. 3600 DS 38134 13 2 1BA1023E142BCB7B0F7CB6AC4C00771D100F326AC905DAC6074E41AFB25D7870
vmathlive.com. 3600 DS 38134 13 4 DC5F0BEA08FB6D643D89D74A14EDCD210C085E3B6782B9782FEE91BB66A76A83B4181774E0723461AC9B6F18C402C447
; ranked rrset to_wire false, rank 060 (auth secure), cached true, qry_uid 1, revalidations 0
vmathlive.com. 3600 RRSIG DS 8 2 86400 1677479970 1676870970 36739 com. vOM/iMztbhiYHxhbkI/Yf4t5OWquuKD8OscNNjsapaQ7qruzuAahkk7pD63I1sq+vM62+LvNW1hbK3hWkvqL6yzVPuoNu3fDn/WcxEEn4Kun1/kz2n3PEWdU1jgMnh3WpmzyAmMq33AagPtQT6AvA0hPAoH7nKr7TT+xlh1G9bpI7KFgl3AvMf2xq3N48JwhvxDf/jJx3yhx/xyOz3Hxsw==
; ranked rrset to_wire false, rank 060 (auth secure), cached true, qry_uid 5, revalidations 0
vmathlive.com. 300 SOA ns1.cambiumlearning.com. hostmaster.cambiumlearning.com. 2022082611 10800 3600 604800 3600
; ranked rrset to_wire false, rank 060 (auth secure), cached true, qry_uid 5, revalidations 0
vmathlive.com. 300 RRSIG SOA 13 2 300 1677715200 1675900800 38134 vmathlive.com. Kd4huzuDTm2sR0FffNa6Cv5bu7hcaQhzaV9seqiL0HfoZ+XdWCf0B7s7/k5bxnVQPuOb1jUAMa7ncCXXB/L3nw==
; ranked rrset to_wire false, rank 060 (auth secure), cached true, qry_uid 5, revalidations 0
vmathlive.com. 300 NSEC vmathlive.com. A NS SOA RRSIG NSEC DNSKEY
; ranked rrset to_wire false, rank 060 (auth secure), cached true, qry_uid 5, revalidations 0
vmathlive.com. 300 RRSIG NSEC 13 2 300 1677715200 1675900800 38134 vmathlive.com. 5lT1gBZAZ3h1C0uRU6TeK3IgRTpxmZttV4ahGbrRPnipMdHrN9B+PQK3Jd0v5jjwgTdcsiOpK6c8tMyRdR3+Fg==
; ranked rrset to_wire true, rank 060 (auth secure), cached true, qry_uid 6, revalidations 0
vmathlive.com. 300 SOA ns1.cambiumlearning.com. hostmaster.cambiumlearning.com. 2022082611 10800 3600 604800 3600
; ranked rrset to_wire true, rank 060 (auth secure), cached true, qry_uid 6, revalidations 0
vmathlive.com. 300 RRSIG SOA 13 2 300 1677715200 1675900800 38134 vmathlive.com. tua7ePdyjjRyyRDyr3gdankU7Xz2QUVOgfbErT6ssGtxGhLueKj8TLy3fgdkAZlsUtLTQoHParWTek6wc3ccSg==
; ranked rrset to_wire true, rank 060 (auth secure), cached true, qry_uid 6, revalidations 0
vmathlive.com. 300 NSEC vmathlive.com. A NS SOA RRSIG NSEC DNSKEY
; ranked rrset to_wire true, rank 060 (auth secure), cached true, qry_uid 6, revalidations 0
vmathlive.com. 300 RRSIG NSEC 13 2 300 1677715200 1675900800 38134 vmathlive.com. wbGfikMJDqGkfDCn+7XQX7leUDIoAfYwZRtA0yysmg0MDJNFi7Cn6sw1He+JlWkX7zX2Vsk2oNhQE7a+u5fZNA==
;; selected from ADDITIONAL sections:
; ranked rrset to_wire false, rank 001 (omit), cached true, qry_uid 1, revalidations 0
ns1.cambiumlearning.com. 3600 A 66.248.224.140
; ranked rrset to_wire false, rank 001 (omit), cached true, qry_uid 1, revalidations 0
ns2.cambiumlearning.com. 3600 A 50.238.167.169
DNSViz DNSSEC analysis result
Any idea what might be wrong?
Thanks in advance for your assistance!