resolving broken DNSSEC domain succeeds
The query 'www.promotext.ch TXT' cannot be resolved on DNSSEC validating resolvers except for knot-resolver where it works!
The error according dnsviz:
NSEC proving non-existence of www.promotext.ch/A: The NSEC RR covers the wildcard itself (*.promotext.ch), indicating that it doesn't exist.
dig output from my knot-resolver 3.2.1-2 (running on turris omnia)
dig @::1 www.promotext.ch TXT +dnssec
; <<>> DiG 9.12.3-P4 <<>> @::1 www.promotext.ch TXT +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 14110
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.promotext.ch. IN TXT
;; AUTHORITY SECTION:
promotext.ch. 770 IN SOA dns11.firestorm.ch. info.firestorm.ch. 2019044974 10800 3600 604800 3600
promotext.ch. 770 IN RRSIG SOA 13 2 3600 20190509000000 20190418000000 32821 promotext.ch. Eex+u6NKjUSn897vTM0KjFWOfooKqg0gvxnqa6wiCxcTnRB2v2A8I1cA pi1c3EO/QPGX8fW5ZXi0fvN4t9N/oA==
promotext.ch. 770 IN NSEC promotext.ch. A NS SOA MX TXT RRSIG NSEC DNSKEY CDS CDNSKEY CAA
promotext.ch. 770 IN RRSIG NSEC 13 2 3600 20190509000000 20190418000000 32821 promotext.ch. B4iCQU8wY30D2btNEOnREsu3hNtz61iWCXwVUcgSbZC360uwvAiF7FJv gicQLvymzP4khZ6P+aAlOZeVIJGVxw==
;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Thu Apr 25 17:38:35 CEST 2019
;; MSG SIZE rcvd: 357
dig output from Cloudflare running some version of knot-resolver
dig @1.1.1.1 www.promotext.ch TXT +dnssec
; <<>> DiG 9.12.3-P4 <<>> @1.1.1.1 www.promotext.ch TXT +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54293
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1452
;; QUESTION SECTION:
;www.promotext.ch. IN TXT
;; AUTHORITY SECTION:
promotext.ch. 3600 IN SOA dns11.firestorm.ch. info.firestorm.ch. 2019044974 10800 3600 604800 3600
promotext.ch. 3600 IN RRSIG SOA 13 2 3600 20190509000000 20190418000000 32821 promotext.ch. 9OXanEGne/gEGPvmrFGjjMUe+BK/rZWxEZiiKg3VFqIqHPgNOXQJcgtv cBA2ko9prGl0/A7fAKbYTA2NAghC1Q==
promotext.ch. 3600 IN NSEC promotext.ch. A NS SOA MX TXT RRSIG NSEC DNSKEY CDS CDNSKEY CAA
promotext.ch. 3600 IN RRSIG NSEC 13 2 3600 20190509000000 20190418000000 32821 promotext.ch. 4k1lb9+ip/NbLKfs/J/YeQ1fiYpY2YXe+3SVOhPywDwFuxHNtaJetS7T bjadxH0Vei4YrS1tsUp4lsIeP9rl/Q==
;; Query time: 16 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Thu Apr 25 17:38:41 CEST 2019
;; MSG SIZE rcvd: 357
Any other DNSSEC validating resolver I have tried returns SERVFAIL e.g.
dig @8.8.8.8 www.promotext.ch TXT +dnssec
; <<>> DiG 9.12.3-P4 <<>> @8.8.8.8 www.promotext.ch TXT +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 62110
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;www.promotext.ch. IN TXT
;; Query time: 46 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Apr 25 17:38:32 CEST 2019
;; MSG SIZE rcvd: 45