SERVFAIL due DNSSEC validation for various domains
Hello, I'm experiencing SERVFAIL answers from resolver for various domains. After first request, it takes several minutes (cache) while resolver is returning SERVFAIL, and then it starts working normally.
Resolver is configured to forward queries to 1.1.1.1 with TLS.
dig @127.0.0.1 www.pjatak.cz
; <<>> DiG 9.11.14-RedHat-9.11.14-2.fc31 <<>> @127.0.0.1 www.pjatak.cz
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 54116
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.pjatak.cz. IN A
;; Query time: 390 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Ne máj 31 15:18:59 CEST 2020
;; MSG SIZE rcvd: 42
resolver logs:
máj 31 15:18:42 localhost.localdomain kresd[1569]: [00000.00][plan] plan 'www.pjatak.cz.' type 'A' uid [02431.00]
máj 31 15:18:42 localhost.localdomain kresd[1569]: [02431.00][iter] 'www.pjatak.cz.' type 'A' new uid was assigned .01, parent uid .00
máj 31 15:18:42 localhost.localdomain kresd[1569]: [02431.01][cach] => skipping unfit nsec_p: new TTL -18151343, error -116
máj 31 15:18:42 localhost.localdomain kresd[1569]: [02431.01][cach] => trying zone: cz., NSEC3, hash 1479a4a7
máj 31 15:18:42 localhost.localdomain kresd[1569]: [02431.01][cach] => NSEC3 depth 2: hash 1va82mb76jvko8sbtcr95qivtu3fpkrr
máj 31 15:18:42 localhost.localdomain kresd[1569]: [02431.01][cach] => NSEC3 encloser error for www.pjatak.cz.: range search found stale or insecure entry
máj 31 15:18:42 localhost.localdomain kresd[1569]: [02431.01][cach] => NSEC3 depth 1: hash g1eiq4lu8266c9lc3bdp3butasbllif5
máj 31 15:18:42 localhost.localdomain kresd[1569]: [02431.01][cach] => NSEC3 encloser error for pjatak.cz.: range search found stale or insecure entry
máj 31 15:18:42 localhost.localdomain kresd[1569]: [02431.01][cach] => NSEC3 depth 0: hash 5571d26g1u4qeqgoheriiiorkjq0rlba
máj 31 15:18:42 localhost.localdomain kresd[1569]: [02431.01][cach] => NSEC3 encloser error for cz.: range search found stale or insecure entry
máj 31 15:18:42 localhost.localdomain kresd[1569]: [02431.01][cach] => trying zone: cz., NSEC3, hash 3662e2e8
máj 31 15:18:42 localhost.localdomain kresd[1569]: [02431.01][cach] => NSEC3 depth 2: hash j6te5f35rn1stuav53lv9g1ptjehh9ub
máj 31 15:18:42 localhost.localdomain kresd[1569]: [02431.01][cach] => NSEC3 encloser error for www.pjatak.cz.: range search found stale or insecure entry
máj 31 15:18:42 localhost.localdomain kresd[1569]: [02431.01][cach] => NSEC3 depth 1: hash 2p69cpiadt9t2qnk2e5rd2s3rlpl51h0
máj 31 15:18:42 localhost.localdomain kresd[1569]: [02431.01][cach] => NSEC3 encloser error for pjatak.cz.: range search found stale or insecure entry
máj 31 15:18:42 localhost.localdomain kresd[1569]: [02431.01][cach] => NSEC3 depth 0: hash slugdha9hu87ndl6j49km4e99n33b518
máj 31 15:18:42 localhost.localdomain kresd[1569]: [02431.01][cach] => NSEC3 encloser error for cz.: range search found stale or insecure entry
máj 31 15:18:42 localhost.localdomain kresd[1569]: [02431.01][plan] plan '.' type 'DNSKEY' uid [02431.02]
máj 31 15:18:42 localhost.localdomain kresd[1569]: [02431.02][iter] '.' type 'DNSKEY' new uid was assigned .03, parent uid .01
máj 31 15:18:42 localhost.localdomain kresd[1569]: [02431.03][cach] => satisfied by exact RRset: rank 060, new TTL 3707
máj 31 15:18:42 localhost.localdomain kresd[1569]: [02431.03][iter] <= rcode: NOERROR
máj 31 15:18:42 localhost.localdomain kresd[1569]: [02431.03][vldr] <= parent: updating DNSKEY
máj 31 15:18:42 localhost.localdomain kresd[1569]: [02431.03][vldr] <= answer valid, OK
máj 31 15:18:42 localhost.localdomain kresd[1569]: [02431.01][iter] 'www.pjatak.cz.' type 'A' new uid was assigned .04, parent uid .00
máj 31 15:18:42 localhost.localdomain kresd[1569]: [02431.04][plan] plan 'cz.' type 'DS' uid [02431.05]
máj 31 15:18:42 localhost.localdomain kresd[1569]: [02431.05][iter] 'cz.' type 'DS' new uid was assigned .06, parent uid .04
máj 31 15:18:42 localhost.localdomain kresd[1569]: [02431.06][cach] => satisfied by exact RRset: rank 060, new TTL 71684
máj 31 15:18:42 localhost.localdomain kresd[1569]: [02431.06][iter] <= rcode: NOERROR
máj 31 15:18:42 localhost.localdomain kresd[1569]: [02431.06][vldr] <= DS: OK
máj 31 15:18:42 localhost.localdomain kresd[1569]: [02431.06][vldr] <= parent: updating DS
máj 31 15:18:42 localhost.localdomain kresd[1569]: [02431.06][vldr] <= answer valid, OK
máj 31 15:18:42 localhost.localdomain kresd[1569]: [02431.04][iter] 'www.pjatak.cz.' type 'A' new uid was assigned .07, parent uid .00
máj 31 15:18:42 localhost.localdomain kresd[1569]: [02431.07][plan] plan 'cz.' type 'DNSKEY' uid [02431.08]
máj 31 15:18:42 localhost.localdomain kresd[1569]: [02431.08][iter] 'cz.' type 'DNSKEY' new uid was assigned .09, parent uid .07
máj 31 15:18:42 localhost.localdomain kresd[1569]: [02431.09][cach] => satisfied by exact RRset: rank 060, new TTL 8225
máj 31 15:18:42 localhost.localdomain kresd[1569]: [02431.09][iter] <= rcode: NOERROR
máj 31 15:18:42 localhost.localdomain kresd[1569]: [02431.09][vldr] <= parent: updating DNSKEY
máj 31 15:18:42 localhost.localdomain kresd[1569]: [02431.09][vldr] <= answer valid, OK
áj 31 15:18:42 localhost.localdomain kresd[1569]: [02431.07][iter] 'www.pjatak.cz.' type 'A' new uid was assigned .10, parent uid .00
máj 31 15:18:42 localhost.localdomain kresd[1569]: [02431.10][plan] plan 'pjatak.cz.' type 'DS' uid [02431.11]
máj 31 15:18:42 localhost.localdomain kresd[1569]: [02431.11][iter] 'pjatak.cz.' type 'DS' new uid was assigned .12, parent uid .10
máj 31 15:18:42 localhost.localdomain kresd[1569]: [02431.12][cach] => skipping exact RR: rank 060 (min. 030), new TTL -18666143
máj 31 15:18:42 localhost.localdomain kresd[1569]: [02431.12][cach] => trying zone: cz., NSEC3, hash 1479a4a7
máj 31 15:18:42 localhost.localdomain kresd[1569]: [02431.12][cach] => NSEC3 depth 1: hash g1eiq4lu8266c9lc3bdp3butasbllif5
máj 31 15:18:42 localhost.localdomain kresd[1569]: [02431.12][cach] => NSEC3 encloser error for pjatak.cz.: range search found stale or insecure entry
máj 31 15:18:42 localhost.localdomain kresd[1569]: [02431.12][cach] => NSEC3 depth 0: hash 5571d26g1u4qeqgoheriiiorkjq0rlba
máj 31 15:18:42 localhost.localdomain kresd[1569]: [02431.12][cach] => NSEC3 encloser error for cz.: range search found stale or insecure entry
máj 31 15:18:42 localhost.localdomain kresd[1569]: [02431.12][cach] => trying zone: cz., NSEC3, hash 3662e2e8
máj 31 15:18:42 localhost.localdomain kresd[1569]: [02431.12][cach] => NSEC3 depth 1: hash 2p69cpiadt9t2qnk2e5rd2s3rlpl51h0
máj 31 15:18:42 localhost.localdomain kresd[1569]: [02431.12][cach] => NSEC3 encloser error for pjatak.cz.: range search found stale or insecure entry
máj 31 15:18:42 localhost.localdomain kresd[1569]: [02431.12][cach] => NSEC3 depth 0: hash slugdha9hu87ndl6j49km4e99n33b518
máj 31 15:18:42 localhost.localdomain kresd[1569]: [02431.12][cach] => NSEC3 encloser error for cz.: range search found stale or insecure entry
máj 31 15:18:42 localhost.localdomain kresd[1569]: [ ][nsre] score 21 for 1.1.1.1#00853; cached RTT: 12
máj 31 15:18:42 localhost.localdomain kresd[1569]: [02431.12][resl] => id: '48127' querying: '1.1.1.1#00853' score: 21 zone cut: 'cz.' qname: 'pjAtAk.cZ.' qtype: 'DS' proto: 'tcp'
máj 31 15:18:42 localhost.localdomain kresd[1569]: [gnutls] (5) REC[0x560140e94700]: Preparing Packet Application Data(23) with length: 40 and min pad: 0
máj 31 15:18:42 localhost.localdomain kresd[1569]: [gnutls] (5) REC[0x560140e94700]: Sent Packet[22] Application Data(23) in epoch 2 and length: 62
máj 31 15:18:42 localhost.localdomain kresd[1569]: [gnutls] (5) REC[0x560140e94700]: SSL 3.3 Application Data packet received. Epoch 2, length: 487
máj 31 15:18:42 localhost.localdomain kresd[1569]: [gnutls] (5) REC[0x560140e94700]: Expected Packet Application Data(23)
máj 31 15:18:42 localhost.localdomain kresd[1569]: [gnutls] (5) REC[0x560140e94700]: Received Packet Application Data(23) with length: 487
máj 31 15:18:42 localhost.localdomain kresd[1569]: [gnutls] (5) REC[0x560140e94700]: Decrypted Packet[22] Application Data(23) with length: 470
máj 31 15:18:42 localhost.localdomain kresd[1569]: [gnutls] (3) ASSERT: buffers.c[_gnutls_io_read_buffered]:589
máj 31 15:18:42 localhost.localdomain kresd[1569]: [gnutls] (3) ASSERT: record.c[_gnutls_recv_int]:1775
máj 31 15:18:42 localhost.localdomain kresd[1569]: [02431.12][iter] <= rcode: NOERROR
máj 31 15:18:42 localhost.localdomain kresd[1569]: [02431.12][vldr] <= DS: OK
máj 31 15:18:42 localhost.localdomain kresd[1569]: [02431.12][vldr] <= parent: updating DS
máj 31 15:18:42 localhost.localdomain kresd[1569]: [02431.12][vldr] <= answer valid, OK
máj 31 15:18:42 localhost.localdomain kresd[1569]: [02431.12][cach] => stashed pjatak.cz. DS, rank 060, 178 B total, incl. 1 RRSIGs
máj 31 15:18:42 localhost.localdomain kresd[1569]: [02431.12][resl] <= server: '1.1.1.1' rtt: 14 ms
máj 31 15:18:42 localhost.localdomain kresd[1569]: [02431.10][iter] 'www.pjatak.cz.' type 'A' new uid was assigned .13, parent uid .00
máj 31 15:18:42 localhost.localdomain kresd[1569]: [02431.13][plan] plan 'pjatak.cz.' type 'DNSKEY' uid [02431.14]
máj 31 15:18:42 localhost.localdomain kresd[1569]: [02431.14][iter] 'pjatak.cz.' type 'DNSKEY' new uid was assigned .15, parent uid .13
máj 31 15:18:42 localhost.localdomain kresd[1569]: [02431.15][cach] => skipping exact RR: rank 060 (min. 030), new TTL -18667943
máj 31 15:18:42 localhost.localdomain kresd[1569]: [02431.15][cach] => skipping unfit nsec_p: new TTL -18151343, error -116
máj 31 15:18:42 localhost.localdomain kresd[1569]: [02431.15][cach] => trying zone: cz., NSEC3, hash 1479a4a7
máj 31 15:18:42 localhost.localdomain kresd[1569]: [02431.15][cach] => NSEC3 depth 1: hash g1eiq4lu8266c9lc3bdp3butasbllif5
máj 31 15:18:42 localhost.localdomain kresd[1569]: [02431.15][cach] => NSEC3 encloser error for pjatak.cz.: range search found stale or insecure entry
máj 31 15:18:42 localhost.localdomain kresd[1569]: [02431.15][cach] => NSEC3 depth 0: hash 5571d26g1u4qeqgoheriiiorkjq0rlba
máj 31 15:18:42 localhost.localdomain kresd[1569]: [02431.15][cach] => NSEC3 encloser error for cz.: range search found stale or insecure entry
máj 31 15:18:42 localhost.localdomain kresd[1569]: [02431.15][cach] => trying zone: cz., NSEC3, hash 3662e2e8
máj 31 15:18:42 localhost.localdomain kresd[1569]: [02431.15][cach] => NSEC3 depth 1: hash 2p69cpiadt9t2qnk2e5rd2s3rlpl51h0
máj 31 15:18:42 localhost.localdomain kresd[1569]: [02431.15][cach] => NSEC3 encloser error for pjatak.cz.: range search found stale or insecure entry
máj 31 15:18:42 localhost.localdomain kresd[1569]: [02431.15][cach] => NSEC3 depth 0: hash slugdha9hu87ndl6j49km4e99n33b518
máj 31 15:18:42 localhost.localdomain kresd[1569]: [02431.15][cach] => NSEC3 encloser error for cz.: range search found stale or insecure entry
máj 31 15:18:42 localhost.localdomain kresd[1569]: [ ][nsre] score 21 for 1.1.1.1#00853; cached RTT: 13
máj 31 15:18:42 localhost.localdomain kresd[1569]: [02431.15][resl] => id: '06792' querying: '1.1.1.1#00853' score: 21 zone cut: 'pjatak.cz.' qname: 'PJAtak.Cz.' qtype: 'DNSKEY' proto: 'tcp'
máj 31 15:18:42 localhost.localdomain kresd[1569]: [gnutls] (5) REC[0x560140e94700]: Preparing Packet Application Data(23) with length: 40 and min pad: 0
máj 31 15:18:42 localhost.localdomain kresd[1569]: [gnutls] (5) REC[0x560140e94700]: Sent Packet[23] Application Data(23) in epoch 2 and length: 62
máj 31 15:18:42 localhost.localdomain kresd[1569]: [gnutls] (5) REC[0x560140e94700]: SSL 3.3 Application Data packet received. Epoch 2, length: 2359
máj 31 15:18:42 localhost.localdomain kresd[1569]: [gnutls] (5) REC[0x560140e94700]: Expected Packet Application Data(23)
máj 31 15:18:42 localhost.localdomain kresd[1569]: [gnutls] (5) REC[0x560140e94700]: Received Packet Application Data(23) with length: 2359
máj 31 15:18:42 localhost.localdomain kresd[1569]: [gnutls] (5) REC[0x560140e94700]: Decrypted Packet[23] Application Data(23) with length: 2342
máj 31 15:18:42 localhost.localdomain kresd[1569]: [gnutls] (3) ASSERT: buffers.c[_gnutls_io_read_buffered]:589
máj 31 15:18:42 localhost.localdomain kresd[1569]: [gnutls] (3) ASSERT: record.c[_gnutls_recv_int]:1775
máj 31 15:18:42 localhost.localdomain kresd[1569]: [02431.15][iter] <= rcode: NOERROR
máj 31 15:18:42 localhost.localdomain kresd[1569]: [02431.15][vldr] <= parent: updating DNSKEY
máj 31 15:18:42 localhost.localdomain kresd[1569]: [02431.15][vldr] <= answer valid, OK
máj 31 15:18:42 localhost.localdomain kresd[1569]: [02431.15][cach] => stashed pjatak.cz. DNSKEY, rank 060, 2150 B total, incl. 2 RRSIGs
máj 31 15:18:42 localhost.localdomain kresd[1569]: [02431.15][resl] <= server: '1.1.1.1' rtt: 125 ms
máj 31 15:18:42 localhost.localdomain kresd[1569]: [02431.13][iter] 'www.pjatak.cz.' type 'A' new uid was assigned .16, parent uid .00
máj 31 15:18:42 localhost.localdomain kresd[1569]: [ ][nsre] score 21 for 1.1.1.1#00853; cached RTT: 69
máj 31 15:18:42 localhost.localdomain kresd[1569]: [02431.16][resl] => id: '37496' querying: '1.1.1.1#00853' score: 21 zone cut: 'pjatak.cz.' qname: 'WwW.pjatAK.Cz.' qtype: 'A' proto: 'tcp'
máj 31 15:18:42 localhost.localdomain kresd[1569]: [gnutls] (5) REC[0x560140e94700]: Preparing Packet Application Data(23) with length: 44 and min pad: 0
máj 31 15:18:42 localhost.localdomain kresd[1569]: [gnutls] (5) REC[0x560140e94700]: Sent Packet[24] Application Data(23) in epoch 2 and length: 66
máj 31 15:18:43 localhost.localdomain kresd[1569]: [gnutls] (5) REC[0x560140e94700]: SSL 3.3 Application Data packet received. Epoch 2, length: 487
máj 31 15:18:43 localhost.localdomain kresd[1569]: [gnutls] (5) REC[0x560140e94700]: Expected Packet Application Data(23)
máj 31 15:18:43 localhost.localdomain kresd[1569]: [gnutls] (5) REC[0x560140e94700]: Received Packet Application Data(23) with length: 487
máj 31 15:18:43 localhost.localdomain kresd[1569]: [gnutls] (5) REC[0x560140e94700]: Decrypted Packet[24] Application Data(23) with length: 470
máj 31 15:18:43 localhost.localdomain kresd[1569]: [gnutls] (3) ASSERT: buffers.c[_gnutls_io_read_buffered]:589
máj 31 15:18:43 localhost.localdomain kresd[1569]: [gnutls] (3) ASSERT: record.c[_gnutls_recv_int]:1775
máj 31 15:18:43 localhost.localdomain kresd[1569]: [02431.16][iter] <= rcode: SERVFAIL
máj 31 15:18:43 localhost.localdomain kresd[1569]: [02431.16][resl] finished: 8, queries: 5, mempool: 98400 B
dig @8.8.8.8 www.pjatak.cz
; <<>> DiG 9.11.14-RedHat-9.11.14-2.fc31 <<>> @8.8.8.8 www.pjatak.cz
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21293
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.pjatak.cz. IN A
;; ANSWER SECTION:
www.pjatak.cz. 599 IN CNAME pjatak.cz.
pjatak.cz. 599 IN A 37.205.10.111
;; Query time: 40 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Ne máj 31 15:19:10 CEST 2020
;; MSG SIZE rcvd: 72
dig +sigchase @8.8.8.8 www.pjatak.cz
;; RRset to chase:
www.pjatak.cz. 599 IN CNAME pjatak.cz.
;; RRSIG of the RRset to chase:
www.pjatak.cz. 599 IN RRSIG CNAME 7 2 600 20201012182307 20191013182307 56890 pjatak.cz. ILO+Gb37b2rzE2zCFg3m0Vn6Yoc16Uw3HV+JbgrAVXGHdu10GZWUYTKB F9JXZfZqh7/8npL1rLe8PqkEAkBWjHun3CRe8wOrxkf4rIBnsVPRGr2e tLhVnJIElBCmEltg+HqHhxW6GfOYZ+sxBCzLz8A5ojBz97Wip78wc8nR FN4j2TrzG1SkvkjXNClXokrhA22R4ocT/S1ymv9Ihchtk6WDbBn3YsAl URJZ07ejqpX2Mof9b0YtgCEKemljY6uWwNS84ttxBciRZN1FswlZ9vk3 nwFowfD1AVV+e9lf3Qvjgs9WE8NM6vGJXj3gh4Fu0npk9cI55y1662iu 8Hf7ozagXIte9RGCBo7Cs6H1hOrquqBcDY0CvWynKze2YVOZnAsA4OD3 AvJ/CD4LPXdPwz/cH+UL1aNEf6cV4lJTEiXogcG/ToJXnG3K+unKew+x l18GzQpTZ7sXdHZxmwYscfq1icb5CM8eZmuTjgkm2ALK2au60BKpfEbW X0fEBzxhYEVgaL7i2aMmooVRs+EtnLY/UzXQ30v/Wpp02deRVZlBpsDe Q7vYLdLoJMlgVtL5bauM/nqEeuYNWuux/xIxlHPmAxp0QwjPGxIiLS/v rAl4KPYmmnko1PRNGko624xkw+l5mg/ogwu++DKONhZcd71fUdfXkV6N Yckt7wuCdzA=
Launch a query to find a RRset of type DNSKEY for zone: pjatak.cz.
;; DNSKEYset that signs the RRset to chase:
pjatak.cz. 1799 IN DNSKEY 256 3 7 BQEAAAAB9QdSKCeptWzBV1tlAFU+AaiSGgU7XaUY6YHgtUQ1ggPvJApl v3N9Xt8vB+z7/FThK4gxzQ3xZ+Y0xZ0sEnQVdl05XTfrrOGjwr6x3Pwx wepWONVZ6FXDb+LhEFx95kYOIjhLnyr5UvOHu9vFOEu1mMENo9gdg00D MBX+tXNBxiHIXzsFUE90QmXBro2GH4EHqTX+4ZVuNCOFhzAnp3h+O7SQ TR8npmdRrmWJvC42uT6ODGEFOnstZ+vJDQnc3ZLvzJvuaXK9pUGJmIQ7 5MEs9xcngf7JXRmW/FqsTph0ZcAXUoad8+Tu43Z0+V1Znf7WtCfODqqj KsKklt7CdY7R6NzEV9b5F//rvG88wZeg+PKXNVbQFFSzyguEsFrvjrTT hdKjyDPfbMRl/vMeoB/dfnB1VP5Ds1zMpqqYqiPPVLBmCjuRC2EalK3t Ph3y9U2xE+A2vytXETew+T+nX9ZG62rS7YnKwsMYrSzUPDTXYgCVwsDM /2Ecl5XEpemOnTvMmQGh7LUuYs/kK2hImPew5ntAQC6jnGr37xC3xtBf kFQN4sV5iSOvZWs5mjP2iEhGEFl5fRqU0Zvck0vOCHBBU0oRj8k4VUpU KSFe2W4iKolj2VS9Jr7S5WIFGFMHUfhyC1j5FVAqSyLBnEKOWper3O+d MQrtWTRl5L1H7v96O/E=
pjatak.cz. 1799 IN DNSKEY 257 3 7 BQEAAAABw0H2Xb7JjIuMMVRD3oqWpoXsriUK4sCT2B0TAc9b6v7K+gEI fhtrQ+LImQ/yY4VLZ1z88RDe48LvV2kA3fjB+4tFJTsgmgxCAg29skRN orVLnb6ztSqZO3FuTYgH3yywEw3W4rTkPfthNhiaMEVXVrFDDU4dGhiJ mvIa9mkaPOkIKeRV4gJqs2YSEIhCKeMxkNNGLn1CIXAiFjVbVDcYFv0n 1bBY2iDUllDIRZapMfoSwJMnHI6VXz3CGjxIfcFcr+BUfVFhobqyV848 n4HJcHKMgErtC8xFmRD++Pq/isLbNs48zDSZQY5jJvD30anwzZnzhWJJ 2ZlirUm6pIazB3a6A7V3c381TsRAyY8suy5pkEriSVs4wSfHkiiwd3Z1 sHCTHgefwyRrArFycXR4bvz9sSFOCjbZfJ4S2RFchQa2D+IJsea+kXa+ LGOi2enMd6Jaq5+WB6dUkgWz+9a0/xqCC2ShywyWeazuoLaaejL8NUDf sGj4TEHfkXX+/BodFl6SicWsQEZuNU44/+pyyFqgDKsHu9t8mDtz/IGR Z/Duj9GKTQ4j953Czkic0thvFwqqd6Xm+C48K1qIB1vWqV4AinXDVf/q jbkPxGP01P+riUs5E0zTEoJOtyTtm/xoV5lTwe2PvhysrtGmcTdyqZXD Z6DQnUgkO7BUjlprbnk=
;; RRSIG of the DNSKEYset that signs the RRset to chase:
pjatak.cz. 1799 IN RRSIG DNSKEY 7 2 1800 20201012182307 20191013182307 52247 pjatak.cz. g+D2/BTsi2GpQaqjYpTZbv8VrJcliK/3k05bXiigw0h0uIZdJTTckrHZ mF4kpSO7eT/8HCRRAMgt2fSFBqz1MYpZsdLC6qL1nbssjoHKJlAIrjAU faix6eGuGGBx0iaeaXVtirmOfdX1FzQ5ZinXy5jw6AQdU+95rIXJLA2y IiJHTEkR8ChkBcZSeXccI1KSxQYwQXxwdhDr3ieOIG8b7CYKOgZyOgf8 kalwVg5aasjyU5LSi8YAmrLNg1yji2L2Qm/C0lr2GFdEqbD0cOOL6rl/ lmfzUesrNJu2hznOuLWbwfOdyl13d2U/EVCC7DKZ0F6H6qAXV6eKDp/R RKT9Nd5q2UwcX5jYjYf2qVe8zn4FKezB3fT9SYDVVsMF9oSznM0hehQo UxtqaQDwc5o/eYvc5OZaUQanPuZv5znxPUMtUlC2KW3bQt6Teu0sPofH V6SJRFrSsAD763+oe+x1uCAtPbw07WpPuOZez/jwH5fgUK2wGXOSZh1/ 8Q3Yq7Cl9mGzs/H9aoBT4NkYbsZ3xsNoWm9tNRCBPNkbsQjjA6m8KAx7 8LRyHfHgO6xdFoyAILSHYltyJYKrToRp6iAGfhqCFLTDXk67iNJBovRJ RUPZsBozDiQ525Bx3uw7ilv34ctJmZnEeUzJg2dfw1RaubITnwAVmySG ys2H3yPWmu8=
pjatak.cz. 1799 IN RRSIG DNSKEY 7 2 1800 20201012182307 20191013182307 56890 pjatak.cz. gndqT11S4pB6cBrlzTLhmUsnRCtG1tvkB5w7yT9ZAXFbY/UPUi9j0UQf Tc+IdyFlJSQ/1dgIykbuW2iS59QYGN9N/gw7CfTMbei5oE//oyiztfav 1BRc68R9czF6MCyBOHeuz1lthcoW5GiIAFotl7vMQAKc1kdfBYBA5gyT V/Q3CWkfn0qJiikpkvDeXyQltzgL4n9Kzu+U9nj5gWaoMJx84jcXHPm+ 0zEP/GFxSWtg1B97u21tqyWLn0A1kG0jDXCgclrnh8ok+Pm/G5PC7nj3 rg9HrHcUhRjf5dcLtb9+rPcPOMnHyimcRfTEkKCVjkG5zKJpJIJ8I84i 8u8D+/sGRDAKQzndgh2koNyiiJa57zQay5Z4n2ipmRgSW7bpgQHLiwTu pw4r7Ir1jkTFTRAch9xeo3q28Oxm1n0pFrgGY/guR8hc9rmGo3S7Cfxh yOKsYeTqcccZ7ohdl8mLz6m0IaMehG1C9mQG2p+pkV1Jqd/IL5g2VS7N P2JP3qJ4q4LzlVxqJm18GVFQVfD/KU0pbbzBIIMXiEEnS6LCIeKVizXM jIWxOpZ+PKpoHXEQa4QJyLpst/4cZKhWQ0Jw9C6E7cyHZasu8n6qPsNW 526QMfvwvuXTjJU/8e20HhIHNby9+6lSmW78IZsmjoCxNrK9VLGr3HA0 dOFJAMsbBfs=
Launch a query to find a RRset of type DS for zone: pjatak.cz.
;; DSset of the DNSKEYset
pjatak.cz. 3599 IN DS 52247 7 2 2D07C4B5141F429688C3B65A46E67C1FB1F12E18294B0F537D499858 367ADA74
pjatak.cz. 3599 IN DS 56890 7 2 4354E245F9946922D33EAF0E4FB6FC6E21A9522589C0FCF27DBF1E9C 40501F0C
;; RRSIG of the DSset of the DNSKEYset
pjatak.cz. 3599 IN RRSIG DS 13 2 3600 20200611215106 20200529000420 17880 cz. x77/cRqUShOeQq69K/tNkQaDOdGUawrDyndA1jesm2Enkn7alQx5nXTe GKfzlsL6TMAJzykqTmWjR238QFf+0Q==
;; WE HAVE MATERIAL, WE NOW DO VALIDATION
;; VERIFYING CNAME RRset for www.pjatak.cz. with DNSKEY:56890: success
;; OK We found DNSKEY (or more) to validate the RRset
;; Now, we are going to validate this DNSKEY by the DS
;; OK a DS valids a DNSKEY in the RRset
;; Now verify that this DNSKEY validates the DNSKEY RRset
;; VERIFYING DNSKEY RRset for pjatak.cz. with DNSKEY:52247: success
;; OK this DNSKEY (validated by the DS) validates the RRset of the DNSKEYs, thus the DNSKEY validates the RRset
;; Now, we want to validate the DS : recursive call
Launch a query to find a RRset of type DNSKEY for zone: cz.
;; DNSKEYset that signs the RRset to chase:
cz. 17856 IN DNSKEY 256 3 13 G6mZG1HCWR18kSFRh8pEOQ0YB9n1ZvTekMJ0eydjdmt81mDEgiNQJ7Uo swUSwpx1cx9Gs63STudcK0Fs2lVKGg==
cz. 17856 IN DNSKEY 256 3 13 vCLlUrpvver9SfRlGSZvYrlxaHr+l3EvtLfaIzvZkHVK1aVTBB1a1rMk 4ZfSKFpWD9l2M83k0s92jwD97QklNQ==
cz. 17856 IN DNSKEY 257 3 13 nqzH7xP1QU5UOVy/VvxFSlrB/XgX9JDJzj51PzIj35TXjZTyalTlAT/f 7PAfaSD5mEG1N8Vk9NmI2nxgQqhzDQ==
;; RRSIG of the DNSKEYset that signs the RRset to chase:
cz. 17856 IN RRSIG DNSKEY 13 1 18000 20200605000000 20200529000000 20237 cz. U+pFqltP3ph0g6SfhFiLLMQtO4mWS7R6E72HwUXhV5yJj38vbsvchiKK SRYnWCvn7xatQGa1VqsGRlTn/3BxtQ==
cz. 17856 IN RRSIG DNSKEY 13 1 18000 20200614004859 20200531103539 17880 cz. ld25thn3UE4gJpRaMJuRkM7UIGYG8xiepop9Ez2ySzPFdy5bKnCXJHl8 f3mjmYUK9wUrIVyVLl0LAs8BnDw8zQ==
Launch a query to find a RRset of type DS for zone: cz.
;; DSset of the DNSKEYset
cz. 85902 IN DS 20237 13 2 CFF0F3ECDBC529C1F0031BA1840BFB835853B9209ED1E508FFF48451 D7B778E2
;; RRSIG of the DSset of the DNSKEYset
cz. 85902 IN RRSIG DS 8 1 86400 20200613050000 20200531040000 48903 . p0WkKaNOaIJzhfcqurL9H3KIJ/zKjhUXuNHnYivBZIknSauUAN7seYpv FxTme0ui7Ik075nYJPzzV+s66EEN103syKECI0g4B3KxQZ+KiYJ3X9ZC Li09nATY76ATHzqRuLMVti1QGo6AgleTUhl7okQBm8x+9BNTkInK6GE9 LAQ7NsbTucRqwQ2uqKUfRzqUeRugHV/EdnvXVYGefF3QQfmf8d6ueJ8w sx4VNxWCBz91ds67Y3Ba9oBnZDk/GeWmEmnUDjbu1fwyN4DyO8xGLrP7 ytKAKw07wGXIncVGN3W3RfvwsTceV3+zc2TroSP1ZyngNT/oWo0pp0qz 34CO9A==
;; WE HAVE MATERIAL, WE NOW DO VALIDATION
;; VERIFYING DS RRset for pjatak.cz. with DNSKEY:17880: success
;; OK We found DNSKEY (or more) to validate the RRset
;; Now, we are going to validate this DNSKEY by the DS
;; OK a DS valids a DNSKEY in the RRset
;; Now verify that this DNSKEY validates the DNSKEY RRset
;; VERIFYING DNSKEY RRset for cz. with DNSKEY:20237: success
;; OK this DNSKEY (validated by the DS) validates the RRset of the DNSKEYs, thus the DNSKEY validates the RRset
;; Now, we want to validate the DS : recursive call
Launch a query to find a RRset of type DNSKEY for zone: .
;; DNSKEYset that signs the RRset to chase:
. 44409 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN R1AkUTV74bU=
. 44409 IN DNSKEY 256 3 8 AwEAAc4qsciJ5MdMUIu4n/pSTsSiU9OCyAanPTe5TcMX4v1hxhpFwiTG QUv3BXT6IAO4litrZKTUaj4vitqHW1+RQsHn3k/gSvt7FwyQwpy0mEnS hBgr6RQiGtlBODNY67sTl+W8M/b6SLTAaaDri3BO5u6wrDs149rMELJA doVBjmXW+zRH3kZzh3lwyTZsYtk7L+3DYbTiiHq+sRB4F9XoBPAz5Psv 4q4EiPq07nW3acbW84zTz3CyQUmQkJT9VB1oUKHz6sNoyccqzcMX4q1G HAYpQ7FAXlKMxidoN1Ay5DWANgTmgJXzKhcI2nIZoq1x3yq4814O1LQd 9QP68gI37+0=
;; RRSIG of the DNSKEYset that signs the RRset to chase:
. 44409 IN RRSIG DNSKEY 8 0 172800 20200611000000 20200521000000 20326 . KfazTUJ4/ezskruozpqOV/AKBcdoMVTxmLSjKaiZuNW6QVAY60/khxOa 0g7EqH/yBZP9pKIIMrxWtRzfl2YzZhkRfkDJKsNFDpyRtq06Hhhf8KHg FNsmmdUBKVtC7jh/5pldrMpInmtrV6344PkDS499x0qfsziD/FQCwF/X 8SWvfqKYmhvE8RjnlsycLtd1vao8iZtTDrevxPZCTRNwDfOufW5jNmDP 0nRKg/U0rXVXxf5q9jVX3Q875Kzyp1eewI2fPBmBXX5Vcpb3We0Gtcec KR0G0nsdXd898GiFlZU2IwrnemLWnCfE6LaoOcKcYzNO8dfMbI1hQzyI Wtnb6Q==
Launch a query to find a RRset of type DS for zone: .
;; NO ANSWERS: no more
;; WARNING There is no DS for the zone: .
;; WE HAVE MATERIAL, WE NOW DO VALIDATION
;; VERIFYING DS RRset for cz. with DNSKEY:48903: success
;; OK We found DNSKEY (or more) to validate the RRset
;; Ok, find a Trusted Key in the DNSKEY RRset: 20326
;; VERIFYING DNSKEY RRset for . with DNSKEY:20326: success
;; Ok this DNSKEY is a Trusted Key, DNSSEC validation is ok: SUCCESS
The same output for 1.1.1.1