[GH-ISSUE #2851] When validating DNSSEC, signed domains with no keys get rejected #1073

New issue

Closed

opened 2026-03-16 01:32:45 +03:00 by kerem · 2 comments

kerem commented 2026-03-16 01:32:45 +03:00

Owner

Copy link

Originally created by @msrd0 on GitHub (Mar 14, 2025).
Original GitHub issue: https://github.com/hickory-dns/hickory-dns/issues/2851

Describe the bug
When validating DNSSEC, currently the following happens:

• Domains with no DNSSEC at all pass (good)
• Domains with correct DNSSEC pass (good)
• Domains with bogus DNSSEC get rejected (good)
• Domains that have a signature but no keys get rejected

The last is definitely a weird edge case, but other resolvers (I tried cloudflare 1.1.1.1 and dns.sb 2a09::) that check DNSSEC pass, so hickory should probably pass the check as well.

The domain I queried has the following DNSSEC visualisation by dnsviz.org:

To Reproduce

1. Create a forwarding validating config file, I did this (you can ignore the 2nd change, it was for testing that #2428 is fixed):

diff --git a/tests/test-data/test_configs/example_forwarder.toml b/tests/test-data/test_configs/example_forwarder.toml
index 5706c880..f82b0a62 100644
--- a/tests/test-data/test_configs/example_forwarder.toml
+++ b/tests/test-data/test_configs/example_forwarder.toml
@@ -40,6 +40,9 @@ zone_type = "External"
 [zones.stores]
 type = "forward"

+[zones.stores.options]
+validate = true
+
 [[zones.stores.name_servers]]
 socket_addr = "8.8.8.8:53"
 protocol = "udp"
@@ -49,3 +52,8 @@ trust_negative_responses = false
 socket_addr = "8.8.8.8:53"
 protocol = "tcp"
 trust_negative_responses = false
+
+[[zones.stores.name_servers]]
+socket_addr = "69.252.250.103:53"
+protocol = "udp"
+trust_negative_responses = false
\ No newline at end of file

2. Start hickory

$ cargo run --features dnssec-aws-lc-rs,tls-aws-lc-rs --package hickory-dns -- -c tests/test-data/test_configs/example_forwarder.toml -z tests/test-data/test_configs -p 12345

3. Query a record from a domain that is signed but has no key. I queried maxemann96.de but I have also notified the domain owner of the fact that his domain is signed with no key attached so he might fix that.

$ kdig maxemann96.de MX @[::1]:12345
;; ->>HEADER<<- opcode: QUERY; status: SERVFAIL; id: 61775
;; Flags: qr rd ra; QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 1232 B; ext-rcode: NOERROR

;; QUESTION SECTION:
;; maxemann96.de.      		IN	MX

;; Received 42 B
;; Time 2025-03-14 12:40:41 CET
;; From ::1@12345(UDP) in 207.6 ms

Expected behavior
I expected that hickory behaves similar to other dns servers, i.e. returns a record instead of SERVFAIL. This is what e.g. dns.sb does:

$ kdig maxemann96.de MX @2a09::
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 51415
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 512 B; ext-rcode: NOERROR

;; QUESTION SECTION:
;; maxemann96.de.      		IN	MX

;; ANSWER SECTION:
maxemann96.de.      	300	IN	MX	10 mail.maxemann96.de.

;; Received 63 B
;; Time 2025-03-14 12:51:02 CET
;; From 2a09::@53(UDP) in 30.1 ms

System:

• OS: ArchLinux
• Architecture: x86_64
• Version: Linux 6.13.6
• rustc version: rustc 1.85.0 (4d91de4e4 2025-02-17)

Version:
Crate: hickory-dns
Version: 1660f95981 (currently latest commit on main)

Additional context
I discovered that while testing that #2428 is fixed.

Originally created by @msrd0 on GitHub (Mar 14, 2025). Original GitHub issue: https://github.com/hickory-dns/hickory-dns/issues/2851 **Describe the bug** When validating DNSSEC, currently the following happens: - Domains with no DNSSEC at all pass (good) - Domains with correct DNSSEC pass (good) - Domains with bogus DNSSEC get rejected (good) - Domains that have a signature but no keys get rejected The last is definitely a weird edge case, but other resolvers (I tried cloudflare `1.1.1.1` and dns.sb `2a09::`) that check DNSSEC pass, so hickory should probably pass the check as well. The domain I queried has the following DNSSEC visualisation by dnsviz.org:  **To Reproduce** 1. Create a forwarding validating config file, I did this (you can ignore the 2nd change, it was for testing that #2428 is fixed): ```diff diff --git a/tests/test-data/test_configs/example_forwarder.toml b/tests/test-data/test_configs/example_forwarder.toml index 5706c880..f82b0a62 100644 --- a/tests/test-data/test_configs/example_forwarder.toml +++ b/tests/test-data/test_configs/example_forwarder.toml @@ -40,6 +40,9 @@ zone_type = "External" [zones.stores] type = "forward" +[zones.stores.options] +validate = true + [[zones.stores.name_servers]] socket_addr = "8.8.8.8:53" protocol = "udp" @@ -49,3 +52,8 @@ trust_negative_responses = false socket_addr = "8.8.8.8:53" protocol = "tcp" trust_negative_responses = false + +[[zones.stores.name_servers]] +socket_addr = "69.252.250.103:53" +protocol = "udp" +trust_negative_responses = false \ No newline at end of file ``` 2. Start hickory ``` $ cargo run --features dnssec-aws-lc-rs,tls-aws-lc-rs --package hickory-dns -- -c tests/test-data/test_configs/example_forwarder.toml -z tests/test-data/test_configs -p 12345 ``` 3. Query a record from a domain that is signed but has no key. I queried maxemann96.de but I have also notified the domain owner of the fact that his domain is signed with no key attached so he might fix that. ``` $ kdig maxemann96.de MX @[::1]:12345 ;; ->>HEADER<<- opcode: QUERY; status: SERVFAIL; id: 61775 ;; Flags: qr rd ra; QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 1 ;; EDNS PSEUDOSECTION: ;; Version: 0; flags: do; UDP size: 1232 B; ext-rcode: NOERROR ;; QUESTION SECTION: ;; maxemann96.de. IN MX ;; Received 42 B ;; Time 2025-03-14 12:40:41 CET ;; From ::1@12345(UDP) in 207.6 ms ``` **Expected behavior** I expected that hickory behaves similar to other dns servers, i.e. returns a record instead of SERVFAIL. This is what e.g. dns.sb does: ``` $ kdig maxemann96.de MX @2a09:: ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 51415 ;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1 ;; EDNS PSEUDOSECTION: ;; Version: 0; flags: ; UDP size: 512 B; ext-rcode: NOERROR ;; QUESTION SECTION: ;; maxemann96.de. IN MX ;; ANSWER SECTION: maxemann96.de. 300 IN MX 10 mail.maxemann96.de. ;; Received 63 B ;; Time 2025-03-14 12:51:02 CET ;; From 2a09::@53(UDP) in 30.1 ms ``` **System:** - OS: ArchLinux - Architecture: x86_64 - Version: Linux 6.13.6 - rustc version: rustc 1.85.0 (4d91de4e4 2025-02-17) **Version:** Crate: hickory-dns Version: 1660f95981b9df5e3f1ab97e701de325436e3eee (currently latest commit on main) **Additional context** I discovered that while testing that #2428 is fixed.

kerem closed this issue 2026-03-16 01:32:50 +03:00

kerem commented 2026-03-16 01:32:56 +03:00

Author

Owner

Copy link

@divergentdave commented on GitHub (Mar 14, 2025):

I can also reproduce this issue with the validating recursor. Here are some debug-level logs from this query.

Logs

1741988855:DEBUG:hickory_proto::udp::udp_client_stream:410:received message id: 5169
1741988855:DEBUG:hickory_proto::error:499:response: ; header 5169:RESPONSE:AA:NoError:QUERY:2/0/1
; edns version: 0 dnssec_ok: true z_flags: 0 max_payload: 1232 opts: 0
; query
;; maxemann96.de. IN MX
; answers 2
maxemann96.de. 300 IN MX 10 mail.maxemann96.de.
maxemann96.de. 300 IN RRSIG MX ECDSAP256SHA256 2 300 1742078855 1741898855 34505 maxemann96.de. Aq6Mk3DymA+hi7uV+zeLQoq0KzzaMd0F7ieLNFvXl6/pnhcq6nMCRse9oePLlRXxDueZ0R27YiStbxFdJXG12w==
; nameservers 0
; additionals 1

1741988855:INFO:hickory_recursor:91:response: 5169:RESPONSE:AA:NoError:QUERY:2/0/1
1741988855:DEBUG:hickory_proto::dnssec::dnssec_dns_handle:301:validating message_response: 0, with 3 trust_anchors
1741988855:DEBUG:hickory_proto::dnssec::dnssec_dns_handle:399:verifying: maxemann96.de. record_type: MX, rrsigs: 1
1741988855:DEBUG:hickory_proto::xfer::dns_handle:64:querying: maxemann96.de. DNSKEY
1741988855:DEBUG:hickory_recursor::recursor_dns_handle:421:returning cached pool for de.
1741988855:DEBUG:hickory_recursor::recursor_dns_handle:212:found zone de. for maxemann96.de. IN DNSKEY
1741988855:INFO:hickory_recursor::recursor_pool:88:querying de. for maxemann96.de. IN DNSKEY
1741988855:DEBUG:hickory_proto::xfer::dns_handle:64:querying: maxemann96.de. DNSKEY
1741988855:DEBUG:hickory_resolver::name_server::name_server_pool:208:sending request: [Query { name: Name("maxemann96.de."), query_type: DNSKEY, query_class: IN }]
1741988855:DEBUG:hickory_resolver::name_server::name_server:101:reconnecting: NameServerConfig { socket_addr: 195.243.137.26:53, protocol: Udp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: true, bind_addr: None }
1741988855:DEBUG:hickory_proto::xfer:168:enqueueing message:QUERY:[Query { name: Name("maxemann96.de."), query_type: DNSKEY, query_class: IN }]
1741988855:DEBUG:hickory_proto::udp::udp_client_stream:189:final message: ; header 20387:QUERY::NoError:QUERY:0/0/1
; edns version: 0 dnssec_ok: true z_flags: 0 max_payload: 1232 opts: 0
; query
;; maxemann96.de. IN DNSKEY

1741988855:DEBUG:hickory_proto::udp::udp_stream:283:created socket successfully
1741988855:DEBUG:hickory_proto::udp::udp_client_stream:410:received message id: 20387
1741988855:DEBUG:hickory_proto::error:499:response: ; header 20387:RESPONSE::NoError:QUERY:0/6/1
; edns version: 0 dnssec_ok: true z_flags: 0 max_payload: 1452 opts: 0
; query
;; maxemann96.de. IN DNSKEY
; answers 0
; nameservers 6
maxemann96.de. 86400 IN NS rita.ns.cloudflare.com.
maxemann96.de. 86400 IN NS lakas.ns.cloudflare.com.
tjlb7qbojvmlf1s6gdriru7vsms1lg16.de. 7200 IN NSEC3 1 1 15 CA12B74ADB90591A tjlcsjat4ljtvo0tjncrrdf6kf6onefb NS SOA RRSIG DNSKEY NSEC3PARAM
4t0f1kmjgjv70hds8uk2pqvhm99cmdsj.de. 7200 IN NSEC3 1 1 15 CA12B74ADB90591A 4t0hg0qp0r9bjphla2do1277mc019msp A RRSIG
tjlb7qbojvmlf1s6gdriru7vsms1lg16.de. 7200 IN RRSIG NSEC3 RSASHA256 2 7200 1742875922 1741660922 4260 de. g3dejoZYushtr3yq7WpbIxE9TZ//w9R8Sk2VUKaQnqBfD751qefguQA1ePeT+hINSnxn2xTxVoyuuLab3BXeqhlMS974S/XJAmOoFFPnerTrVj2DDFnOl50vzTpg+eUma8BLsx1m9HdbhOta/aMuQwo+3arFXnnPXZQdr2Z+IcQ=
4t0f1kmjgjv70hds8uk2pqvhm99cmdsj.de. 7200 IN RRSIG NSEC3 RSASHA256 2 7200 1743077572 1741862572 4260 de. V7aIKs1/fcbQyYHPEdPmy8B6vv51cVVQVOMZCXJeEManBHmDMRsSVHXYmUjA28LONYBYuBvOxdf2mJK9ypbGrH1tElv7M0y8lfBZjeZtkZZ789yjioNTQuGU7VtTWAT1QWUEKB3l6TPrnEkSplgPmDCxIwLw75ERvgSXOaFug8I=
; additionals 1

1741988855:WARN:hickory_recursor::recursor_dns_handle:406:lookup error: proto error: no records found for Query { name: Name("maxemann96.de."), query_type: DNSKEY, query_class: IN }
1741988855:DEBUG:hickory_recursor::recursor_dns_handle:245:ns for maxemann96.de. forwarded via NS records
1741988855:DEBUG:hickory_recursor::recursor_dns_handle:649:ns_pool_for_referral glue not found for maxemann96.de. 86400 IN NS rita.ns.cloudflare.com.
1741988855:DEBUG:hickory_recursor::recursor_dns_handle:649:ns_pool_for_referral glue not found for maxemann96.de. 86400 IN NS lakas.ns.cloudflare.com.
1741988855:DEBUG:hickory_recursor::recursor_dns_handle:658:ns_pool_for_referral need glue for maxemann96.de.
1741988855:DEBUG:hickory_recursor::recursor_dns_handle:421:returning cached pool for maxemann96.de.
1741988855:DEBUG:hickory_recursor::recursor_dns_handle:421:returning cached pool for rita.ns.cloudflare.com.
1741988855:DEBUG:hickory_recursor::recursor_dns_handle:421:returning cached pool for lakas.ns.cloudflare.com.
1741988855:INFO:hickory_recursor::recursor_pool:88:querying rita.ns.cloudflare.com. for rita.ns.cloudflare.com. IN A
1741988855:DEBUG:hickory_proto::xfer::dns_handle:64:querying: rita.ns.cloudflare.com. A
1741988855:DEBUG:hickory_resolver::name_server::name_server_pool:208:sending request: [Query { name: Name("rita.ns.cloudflare.com."), query_type: A, query_class: IN }]
1741988855:DEBUG:hickory_resolver::name_server::name_server:101:reconnecting: NameServerConfig { socket_addr: 162.159.5.6:53, protocol: Udp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: true, bind_addr: None }
1741988855:DEBUG:hickory_proto::xfer:168:enqueueing message:QUERY:[Query { name: Name("rita.ns.cloudflare.com."), query_type: A, query_class: IN }]
1741988855:INFO:hickory_recursor::recursor_pool:88:querying rita.ns.cloudflare.com. for rita.ns.cloudflare.com. IN AAAA
1741988855:DEBUG:hickory_proto::xfer::dns_handle:64:querying: rita.ns.cloudflare.com. AAAA
1741988855:DEBUG:hickory_resolver::name_server::name_server_pool:208:sending request: [Query { name: Name("rita.ns.cloudflare.com."), query_type: AAAA, query_class: IN }]
1741988855:DEBUG:hickory_resolver::name_server::name_server:115:existing connection: NameServerConfig { socket_addr: 162.159.5.6:53, protocol: Udp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: true, bind_addr: None }
1741988855:DEBUG:hickory_proto::xfer:168:enqueueing message:QUERY:[Query { name: Name("rita.ns.cloudflare.com."), query_type: AAAA, query_class: IN }]
1741988855:DEBUG:hickory_proto::udp::udp_client_stream:189:final message: ; header 34241:QUERY::NoError:QUERY:0/0/1
; edns version: 0 dnssec_ok: true z_flags: 0 max_payload: 1232 opts: 0
; query
;; rita.ns.cloudflare.com. IN A

1741988855:DEBUG:hickory_proto::udp::udp_client_stream:189:final message: ; header 58927:QUERY::NoError:QUERY:0/0/1
; edns version: 0 dnssec_ok: true z_flags: 0 max_payload: 1232 opts: 0
; query
;; rita.ns.cloudflare.com. IN AAAA

1741988855:INFO:hickory_recursor::recursor_pool:88:querying lakas.ns.cloudflare.com. for lakas.ns.cloudflare.com. IN A
1741988855:DEBUG:hickory_proto::xfer::dns_handle:64:querying: lakas.ns.cloudflare.com. A
1741988855:DEBUG:hickory_resolver::name_server::name_server_pool:208:sending request: [Query { name: Name("lakas.ns.cloudflare.com."), query_type: A, query_class: IN }]
1741988855:DEBUG:hickory_resolver::name_server::name_server:101:reconnecting: NameServerConfig { socket_addr: [2400:cb00:2049:1::a29f:121]:53, protocol: Udp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: true, bind_addr: None }
1741988855:DEBUG:hickory_proto::xfer:168:enqueueing message:QUERY:[Query { name: Name("lakas.ns.cloudflare.com."), query_type: A, query_class: IN }]
1741988855:INFO:hickory_recursor::recursor_pool:88:querying lakas.ns.cloudflare.com. for lakas.ns.cloudflare.com. IN AAAA
1741988855:DEBUG:hickory_proto::xfer::dns_handle:64:querying: lakas.ns.cloudflare.com. AAAA
1741988855:DEBUG:hickory_resolver::name_server::name_server_pool:208:sending request: [Query { name: Name("lakas.ns.cloudflare.com."), query_type: AAAA, query_class: IN }]
1741988855:DEBUG:hickory_resolver::name_server::name_server:115:existing connection: NameServerConfig { socket_addr: [2400:cb00:2049:1::a29f:121]:53, protocol: Udp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: true, bind_addr: None }
1741988855:DEBUG:hickory_proto::xfer:168:enqueueing message:QUERY:[Query { name: Name("lakas.ns.cloudflare.com."), query_type: AAAA, query_class: IN }]
1741988855:DEBUG:hickory_proto::udp::udp_client_stream:189:final message: ; header 28392:QUERY::NoError:QUERY:0/0/1
; edns version: 0 dnssec_ok: true z_flags: 0 max_payload: 1232 opts: 0
; query
;; lakas.ns.cloudflare.com. IN A

1741988855:DEBUG:hickory_proto::udp::udp_client_stream:189:final message: ; header 41689:QUERY::NoError:QUERY:0/0/1
; edns version: 0 dnssec_ok: true z_flags: 0 max_payload: 1232 opts: 0
; query
;; lakas.ns.cloudflare.com. IN AAAA

1741988855:DEBUG:hickory_proto::udp::udp_stream:283:created socket successfully
1741988855:DEBUG:hickory_proto::udp::udp_stream:283:created socket successfully
1741988855:DEBUG:hickory_proto::udp::udp_stream:283:created socket successfully
1741988855:DEBUG:hickory_resolver::name_server::name_server:150:name_server connection failure: io error: Network is unreachable (os error 101) config=NameServerConfig { socket_addr: [2400:cb00:2049:1::a29f:121]:53, protocol: Udp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: true, bind_addr: None }
1741988855:DEBUG:hickory_resolver::name_server::name_server:101:reconnecting: NameServerConfig { socket_addr: 162.159.6.6:53, protocol: Udp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: true, bind_addr: None }
1741988855:DEBUG:hickory_proto::xfer:168:enqueueing message:QUERY:[Query { name: Name("lakas.ns.cloudflare.com."), query_type: A, query_class: IN }]
1741988855:DEBUG:hickory_proto::udp::udp_stream:283:created socket successfully
1741988855:DEBUG:hickory_resolver::name_server::name_server:150:name_server connection failure: io error: Network is unreachable (os error 101) config=NameServerConfig { socket_addr: [2400:cb00:2049:1::a29f:121]:53, protocol: Udp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: true, bind_addr: None }
1741988855:DEBUG:hickory_resolver::name_server::name_server:115:existing connection: NameServerConfig { socket_addr: 162.159.6.6:53, protocol: Udp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: true, bind_addr: None }
1741988855:DEBUG:hickory_proto::xfer:168:enqueueing message:QUERY:[Query { name: Name("lakas.ns.cloudflare.com."), query_type: AAAA, query_class: IN }]
1741988855:DEBUG:hickory_proto::udp::udp_client_stream:189:final message: ; header 5387:QUERY::NoError:QUERY:0/0/1
; edns version: 0 dnssec_ok: true z_flags: 0 max_payload: 1232 opts: 0
; query
;; lakas.ns.cloudflare.com. IN A

1741988855:DEBUG:hickory_proto::udp::udp_client_stream:189:final message: ; header 38959:QUERY::NoError:QUERY:0/0/1
; edns version: 0 dnssec_ok: true z_flags: 0 max_payload: 1232 opts: 0
; query
;; lakas.ns.cloudflare.com. IN AAAA

1741988855:DEBUG:hickory_proto::udp::udp_stream:283:created socket successfully
1741988855:DEBUG:hickory_proto::udp::udp_stream:283:created socket successfully
1741988855:DEBUG:hickory_proto::udp::udp_client_stream:410:received message id: 34241
1741988855:DEBUG:hickory_proto::error:499:response: ; header 34241:RESPONSE:AA:NoError:QUERY:4/0/1
; edns version: 0 dnssec_ok: true z_flags: 0 max_payload: 1232 opts: 0
; query
;; rita.ns.cloudflare.com. IN A
; answers 4
rita.ns.cloudflare.com. 86353 IN A 108.162.192.140
rita.ns.cloudflare.com. 86353 IN A 173.245.58.140
rita.ns.cloudflare.com. 86353 IN A 172.64.32.140
rita.ns.cloudflare.com. 86353 IN RRSIG A ECDSAP256SHA256 4 86353 1742078855 1741898855 34505 cloudflare.com. eM1KbxfhNi4c36JVTMOf0mbcLf/nuFyr715stGwjnV64Yh9ZHQP8ssFox/C3jj2c5GZ5vVrT59wK3tR51Oj52g==
; nameservers 0
; additionals 1

1741988855:DEBUG:hickory_recursor::recursor_dns_handle:755:append_ips_from_lookup: A or AAAA response: DnsResponse { message: Message { header: Header { id: 34241, message_type: Response, op_code: Query, authoritative: true, truncation: false, recursion_desired: false, recursion_available: false, authentic_data: false, checking_disabled: false, response_code: NoError, query_count: 1, answer_count: 4, name_server_count: 0, additional_count: 1 }, queries: [Query { name: Name("rita.ns.cloudflare.com."), query_type: A, query_class: IN }], answers: [Record { name_labels: Name("rita.ns.cloudflare.com."), dns_class: IN, ttl: 86353, rdata: A(A(108.162.192.140)), proof: Indeterminate }, Record { name_labels: Name("rita.ns.cloudflare.com."), dns_class: IN, ttl: 86353, rdata: A(A(173.245.58.140)), proof: Indeterminate }, Record { name_labels: Name("rita.ns.cloudflare.com."), dns_class: IN, ttl: 86353, rdata: A(A(172.64.32.140)), proof: Indeterminate }, Record { name_labels: Name("rita.ns.cloudflare.com."), dns_class: IN, ttl: 86353, rdata: DNSSEC(RRSIG(RRSIG(SIG { type_covered: A, algorithm: ECDSAP256SHA256, num_labels: 4, original_ttl: 86353, sig_expiration: 1742078855, sig_inception: 1741898855, key_tag: 34505, signer_name: Name("cloudflare.com."), sig: [120, 205, 74, 111, 23, 225, 54, 46, 28, 223, 162, 85, 76, 195, 159, 210, 102, 220, 45, 255, 231, 184, 92, 171, 239, 94, 108, 180, 108, 35, 157, 94, 184, 98, 31, 89, 29, 3, 252, 178, 193, 104, 199, 240, 183, 142, 61, 156, 228, 102, 121, 189, 90, 211, 231, 220, 10, 222, 212, 121, 212, 232, 249, 218] }))), proof: Indeterminate }], name_servers: [], additionals: [], signature: [], edns: Some(Edns { rcode_high: 0, version: 0, flags: EdnsFlags { dnssec_ok: true, z: 0 }, max_payload: 1232, options: OPT { options: [] } }) }, buffer: [133, 193, 132, 0, 0, 1, 0, 4, 0, 0, 0, 1, 4, 114, 105, 116, 97, 2, 110, 115, 10, 99, 108, 111, 117, 100, 102, 108, 97, 114, 101, 3, 99, 111, 109, 0, 0, 1, 0, 1, 192, 12, 0, 1, 0, 1, 0, 1, 81, 81, 0, 4, 108, 162, 192, 140, 192, 12, 0, 1, 0, 1, 0, 1, 81, 81, 0, 4, 173, 245, 58, 140, 192, 12, 0, 1, 0, 1, 0, 1, 81, 81, 0, 4, 172, 64, 32, 140, 192, 12, 0, 46, 0, 1, 0, 1, 81, 81, 0, 98, 0, 1, 13, 4, 0, 1, 81, 81, 103, 214, 3, 135, 103, 211, 68, 103, 134, 201, 10, 99, 108, 111, 117, 100, 102, 108, 97, 114, 101, 3, 99, 111, 109, 0, 120, 205, 74, 111, 23, 225, 54, 46, 28, 223, 162, 85, 76, 195, 159, 210, 102, 220, 45, 255, 231, 184, 92, 171, 239, 94, 108, 180, 108, 35, 157, 94, 184, 98, 31, 89, 29, 3, 252, 178, 193, 104, 199, 240, 183, 142, 61, 156, 228, 102, 121, 189, 90, 211, 231, 220, 10, 222, 212, 121, 212, 232, 249, 218, 0, 0, 41, 4, 208, 0, 0, 128, 0, 0, 0] }
1741988855:DEBUG:hickory_proto::udp::udp_client_stream:410:received message id: 38959
1741988855:DEBUG:hickory_proto::error:499:response: ; header 38959:RESPONSE:AA:NoError:QUERY:4/0/1
; edns version: 0 dnssec_ok: true z_flags: 0 max_payload: 1232 opts: 0
; query
;; lakas.ns.cloudflare.com. IN AAAA
; answers 4
lakas.ns.cloudflare.com. 86353 IN AAAA 2a06:98c1:50::ac40:21c2
lakas.ns.cloudflare.com. 86353 IN AAAA 2606:4700:58::adf5:3bc2
lakas.ns.cloudflare.com. 86353 IN AAAA 2803:f800:50::6ca2:c1c2
lakas.ns.cloudflare.com. 86353 IN RRSIG AAAA ECDSAP256SHA256 4 86353 1742078855 1741898855 34505 cloudflare.com. SPxEK1QkO7vFSsHxEYj4O4ArWhmELVD9eQ5FBc56jxpBDYZAXx+g4Lx/EAdVHVpfw0Ny4A45Ao6WZRl5J/bgSw==
; nameservers 0
; additionals 1

1741988855:DEBUG:hickory_recursor::recursor_dns_handle:755:append_ips_from_lookup: A or AAAA response: DnsResponse { message: Message { header: Header { id: 38959, message_type: Response, op_code: Query, authoritative: true, truncation: false, recursion_desired: false, recursion_available: false, authentic_data: false, checking_disabled: false, response_code: NoError, query_count: 1, answer_count: 4, name_server_count: 0, additional_count: 1 }, queries: [Query { name: Name("lakas.ns.cloudflare.com."), query_type: AAAA, query_class: IN }], answers: [Record { name_labels: Name("lakas.ns.cloudflare.com."), dns_class: IN, ttl: 86353, rdata: AAAA(AAAA(2a06:98c1:50::ac40:21c2)), proof: Indeterminate }, Record { name_labels: Name("lakas.ns.cloudflare.com."), dns_class: IN, ttl: 86353, rdata: AAAA(AAAA(2606:4700:58::adf5:3bc2)), proof: Indeterminate }, Record { name_labels: Name("lakas.ns.cloudflare.com."), dns_class: IN, ttl: 86353, rdata: AAAA(AAAA(2803:f800:50::6ca2:c1c2)), proof: Indeterminate }, Record { name_labels: Name("lakas.ns.cloudflare.com."), dns_class: IN, ttl: 86353, rdata: DNSSEC(RRSIG(RRSIG(SIG { type_covered: AAAA, algorithm: ECDSAP256SHA256, num_labels: 4, original_ttl: 86353, sig_expiration: 1742078855, sig_inception: 1741898855, key_tag: 34505, signer_name: Name("cloudflare.com."), sig: [72, 252, 68, 43, 84, 36, 59, 187, 197, 74, 193, 241, 17, 136, 248, 59, 128, 43, 90, 25, 132, 45, 80, 253, 121, 14, 69, 5, 206, 122, 143, 26, 65, 13, 134, 64, 95, 31, 160, 224, 188, 127, 16, 7, 85, 29, 90, 95, 195, 67, 114, 224, 14, 57, 2, 142, 150, 101, 25, 121, 39, 246, 224, 75] }))), proof: Indeterminate }], name_servers: [], additionals: [], signature: [], edns: Some(Edns { rcode_high: 0, version: 0, flags: EdnsFlags { dnssec_ok: true, z: 0 }, max_payload: 1232, options: OPT { options: [] } }) }, buffer: [152, 47, 132, 0, 0, 1, 0, 4, 0, 0, 0, 1, 5, 108, 97, 107, 97, 115, 2, 110, 115, 10, 99, 108, 111, 117, 100, 102, 108, 97, 114, 101, 3, 99, 111, 109, 0, 0, 28, 0, 1, 192, 12, 0, 28, 0, 1, 0, 1, 81, 81, 0, 16, 42, 6, 152, 193, 0, 80, 0, 0, 0, 0, 0, 0, 172, 64, 33, 194, 192, 12, 0, 28, 0, 1, 0, 1, 81, 81, 0, 16, 38, 6, 71, 0, 0, 88, 0, 0, 0, 0, 0, 0, 173, 245, 59, 194, 192, 12, 0, 28, 0, 1, 0, 1, 81, 81, 0, 16, 40, 3, 248, 0, 0, 80, 0, 0, 0, 0, 0, 0, 108, 162, 193, 194, 192, 12, 0, 46, 0, 1, 0, 1, 81, 81, 0, 98, 0, 28, 13, 4, 0, 1, 81, 81, 103, 214, 3, 135, 103, 211, 68, 103, 134, 201, 10, 99, 108, 111, 117, 100, 102, 108, 97, 114, 101, 3, 99, 111, 109, 0, 72, 252, 68, 43, 84, 36, 59, 187, 197, 74, 193, 241, 17, 136, 248, 59, 128, 43, 90, 25, 132, 45, 80, 253, 121, 14, 69, 5, 206, 122, 143, 26, 65, 13, 134, 64, 95, 31, 160, 224, 188, 127, 16, 7, 85, 29, 90, 95, 195, 67, 114, 224, 14, 57, 2, 142, 150, 101, 25, 121, 39, 246, 224, 75, 0, 0, 41, 4, 208, 0, 0, 128, 0, 0, 0] }
1741988855:DEBUG:hickory_proto::udp::udp_client_stream:410:received message id: 58927
1741988855:DEBUG:hickory_proto::error:499:response: ; header 58927:RESPONSE:AA:NoError:QUERY:4/0/1
; edns version: 0 dnssec_ok: true z_flags: 0 max_payload: 1232 opts: 0
; query
;; rita.ns.cloudflare.com. IN AAAA
; answers 4
rita.ns.cloudflare.com. 86353 IN AAAA 2a06:98c1:50::ac40:208c
rita.ns.cloudflare.com. 86353 IN AAAA 2803:f800:50::6ca2:c08c
rita.ns.cloudflare.com. 86353 IN AAAA 2606:4700:50::adf5:3a8c
rita.ns.cloudflare.com. 86353 IN RRSIG AAAA ECDSAP256SHA256 4 86353 1742078855 1741898855 34505 cloudflare.com. F0SriKvgsqZtYq8Loucy/qn1Yf2WdkypmNbJ6Vu5JC0a4yfQy2MRODIj0+iVUoUmTYXWhwjzuzwLMkGG0wxv4Q==
; nameservers 0
; additionals 1

1741988855:DEBUG:hickory_recursor::recursor_dns_handle:755:append_ips_from_lookup: A or AAAA response: DnsResponse { message: Message { header: Header { id: 58927, message_type: Response, op_code: Query, authoritative: true, truncation: false, recursion_desired: false, recursion_available: false, authentic_data: false, checking_disabled: false, response_code: NoError, query_count: 1, answer_count: 4, name_server_count: 0, additional_count: 1 }, queries: [Query { name: Name("rita.ns.cloudflare.com."), query_type: AAAA, query_class: IN }], answers: [Record { name_labels: Name("rita.ns.cloudflare.com."), dns_class: IN, ttl: 86353, rdata: AAAA(AAAA(2a06:98c1:50::ac40:208c)), proof: Indeterminate }, Record { name_labels: Name("rita.ns.cloudflare.com."), dns_class: IN, ttl: 86353, rdata: AAAA(AAAA(2803:f800:50::6ca2:c08c)), proof: Indeterminate }, Record { name_labels: Name("rita.ns.cloudflare.com."), dns_class: IN, ttl: 86353, rdata: AAAA(AAAA(2606:4700:50::adf5:3a8c)), proof: Indeterminate }, Record { name_labels: Name("rita.ns.cloudflare.com."), dns_class: IN, ttl: 86353, rdata: DNSSEC(RRSIG(RRSIG(SIG { type_covered: AAAA, algorithm: ECDSAP256SHA256, num_labels: 4, original_ttl: 86353, sig_expiration: 1742078855, sig_inception: 1741898855, key_tag: 34505, signer_name: Name("cloudflare.com."), sig: [23, 68, 171, 136, 171, 224, 178, 166, 109, 98, 175, 11, 162, 231, 50, 254, 169, 245, 97, 253, 150, 118, 76, 169, 152, 214, 201, 233, 91, 185, 36, 45, 26, 227, 39, 208, 203, 99, 17, 56, 50, 35, 211, 232, 149, 82, 133, 38, 77, 133, 214, 135, 8, 243, 187, 60, 11, 50, 65, 134, 211, 12, 111, 225] }))), proof: Indeterminate }], name_servers: [], additionals: [], signature: [], edns: Some(Edns { rcode_high: 0, version: 0, flags: EdnsFlags { dnssec_ok: true, z: 0 }, max_payload: 1232, options: OPT { options: [] } }) }, buffer: [230, 47, 132, 0, 0, 1, 0, 4, 0, 0, 0, 1, 4, 114, 105, 116, 97, 2, 110, 115, 10, 99, 108, 111, 117, 100, 102, 108, 97, 114, 101, 3, 99, 111, 109, 0, 0, 28, 0, 1, 192, 12, 0, 28, 0, 1, 0, 1, 81, 81, 0, 16, 42, 6, 152, 193, 0, 80, 0, 0, 0, 0, 0, 0, 172, 64, 32, 140, 192, 12, 0, 28, 0, 1, 0, 1, 81, 81, 0, 16, 40, 3, 248, 0, 0, 80, 0, 0, 0, 0, 0, 0, 108, 162, 192, 140, 192, 12, 0, 28, 0, 1, 0, 1, 81, 81, 0, 16, 38, 6, 71, 0, 0, 80, 0, 0, 0, 0, 0, 0, 173, 245, 58, 140, 192, 12, 0, 46, 0, 1, 0, 1, 81, 81, 0, 98, 0, 28, 13, 4, 0, 1, 81, 81, 103, 214, 3, 135, 103, 211, 68, 103, 134, 201, 10, 99, 108, 111, 117, 100, 102, 108, 97, 114, 101, 3, 99, 111, 109, 0, 23, 68, 171, 136, 171, 224, 178, 166, 109, 98, 175, 11, 162, 231, 50, 254, 169, 245, 97, 253, 150, 118, 76, 169, 152, 214, 201, 233, 91, 185, 36, 45, 26, 227, 39, 208, 203, 99, 17, 56, 50, 35, 211, 232, 149, 82, 133, 38, 77, 133, 214, 135, 8, 243, 187, 60, 11, 50, 65, 134, 211, 12, 111, 225, 0, 0, 41, 4, 208, 0, 0, 128, 0, 0, 0] }
1741988855:DEBUG:hickory_proto::udp::udp_client_stream:410:received message id: 5387
1741988855:DEBUG:hickory_proto::error:499:response: ; header 5387:RESPONSE:AA:NoError:QUERY:4/0/1
; edns version: 0 dnssec_ok: true z_flags: 0 max_payload: 1232 opts: 0
; query
;; lakas.ns.cloudflare.com. IN A
; answers 4
lakas.ns.cloudflare.com. 86353 IN A 173.245.59.194
lakas.ns.cloudflare.com. 86353 IN A 108.162.193.194
lakas.ns.cloudflare.com. 86353 IN A 172.64.33.194
lakas.ns.cloudflare.com. 86353 IN RRSIG A ECDSAP256SHA256 4 86353 1742078855 1741898855 34505 cloudflare.com. 59GvtV+Q0Evh9TXw2p+VUYOI0nFi3o1Bnjl/e3Rso8tpWSq4izbWrpCqMgFfIj+3m4OnKQl0Ds6SE+BaJ7HiTg==
; nameservers 0
; additionals 1

1741988855:DEBUG:hickory_recursor::recursor_dns_handle:755:append_ips_from_lookup: A or AAAA response: DnsResponse { message: Message { header: Header { id: 5387, message_type: Response, op_code: Query, authoritative: true, truncation: false, recursion_desired: false, recursion_available: false, authentic_data: false, checking_disabled: false, response_code: NoError, query_count: 1, answer_count: 4, name_server_count: 0, additional_count: 1 }, queries: [Query { name: Name("lakas.ns.cloudflare.com."), query_type: A, query_class: IN }], answers: [Record { name_labels: Name("lakas.ns.cloudflare.com."), dns_class: IN, ttl: 86353, rdata: A(A(173.245.59.194)), proof: Indeterminate }, Record { name_labels: Name("lakas.ns.cloudflare.com."), dns_class: IN, ttl: 86353, rdata: A(A(108.162.193.194)), proof: Indeterminate }, Record { name_labels: Name("lakas.ns.cloudflare.com."), dns_class: IN, ttl: 86353, rdata: A(A(172.64.33.194)), proof: Indeterminate }, Record { name_labels: Name("lakas.ns.cloudflare.com."), dns_class: IN, ttl: 86353, rdata: DNSSEC(RRSIG(RRSIG(SIG { type_covered: A, algorithm: ECDSAP256SHA256, num_labels: 4, original_ttl: 86353, sig_expiration: 1742078855, sig_inception: 1741898855, key_tag: 34505, signer_name: Name("cloudflare.com."), sig: [231, 209, 175, 181, 95, 144, 208, 75, 225, 245, 53, 240, 218, 159, 149, 81, 131, 136, 210, 113, 98, 222, 141, 65, 158, 57, 127, 123, 116, 108, 163, 203, 105, 89, 42, 184, 139, 54, 214, 174, 144, 170, 50, 1, 95, 34, 63, 183, 155, 131, 167, 41, 9, 116, 14, 206, 146, 19, 224, 90, 39, 177, 226, 78] }))), proof: Indeterminate }], name_servers: [], additionals: [], signature: [], edns: Some(Edns { rcode_high: 0, version: 0, flags: EdnsFlags { dnssec_ok: true, z: 0 }, max_payload: 1232, options: OPT { options: [] } }) }, buffer: [21, 11, 132, 0, 0, 1, 0, 4, 0, 0, 0, 1, 5, 108, 97, 107, 97, 115, 2, 110, 115, 10, 99, 108, 111, 117, 100, 102, 108, 97, 114, 101, 3, 99, 111, 109, 0, 0, 1, 0, 1, 192, 12, 0, 1, 0, 1, 0, 1, 81, 81, 0, 4, 173, 245, 59, 194, 192, 12, 0, 1, 0, 1, 0, 1, 81, 81, 0, 4, 108, 162, 193, 194, 192, 12, 0, 1, 0, 1, 0, 1, 81, 81, 0, 4, 172, 64, 33, 194, 192, 12, 0, 46, 0, 1, 0, 1, 81, 81, 0, 98, 0, 1, 13, 4, 0, 1, 81, 81, 103, 214, 3, 135, 103, 211, 68, 103, 134, 201, 10, 99, 108, 111, 117, 100, 102, 108, 97, 114, 101, 3, 99, 111, 109, 0, 231, 209, 175, 181, 95, 144, 208, 75, 225, 245, 53, 240, 218, 159, 149, 81, 131, 136, 210, 113, 98, 222, 141, 65, 158, 57, 127, 123, 116, 108, 163, 203, 105, 89, 42, 184, 139, 54, 214, 174, 144, 170, 50, 1, 95, 34, 63, 183, 155, 131, 167, 41, 9, 116, 14, 206, 146, 19, 224, 90, 39, 177, 226, 78, 0, 0, 41, 4, 208, 0, 0, 128, 0, 0, 0] }
1741988855:DEBUG:hickory_recursor::recursor_dns_handle:678:ns_pool_for_referral found nameservers for maxemann96.de.: NameServerConfigGroup { servers: [NameServerConfig { socket_addr: 108.162.192.140:53, protocol: Udp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: true, bind_addr: None }, NameServerConfig { socket_addr: 108.162.192.140:53, protocol: Tcp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: true, bind_addr: None }, NameServerConfig { socket_addr: 173.245.58.140:53, protocol: Udp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: true, bind_addr: None }, NameServerConfig { socket_addr: 173.245.58.140:53, protocol: Tcp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: true, bind_addr: None }, NameServerConfig { socket_addr: 172.64.32.140:53, protocol: Udp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: true, bind_addr: None }, NameServerConfig { socket_addr: 172.64.32.140:53, protocol: Tcp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: true, bind_addr: None }, NameServerConfig { socket_addr: [2a06:98c1:50::ac40:21c2]:53, protocol: Udp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: true, bind_addr: None }, NameServerConfig { socket_addr: [2a06:98c1:50::ac40:21c2]:53, protocol: Tcp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: true, bind_addr: None }, NameServerConfig { socket_addr: [2606:4700:58::adf5:3bc2]:53, protocol: Udp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: true, bind_addr: None }, NameServerConfig { socket_addr: [2606:4700:58::adf5:3bc2]:53, protocol: Tcp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: true, bind_addr: None }, NameServerConfig { socket_addr: [2803:f800:50::6ca2:c1c2]:53, protocol: Udp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: true, bind_addr: None }, NameServerConfig { socket_addr: [2803:f800:50::6ca2:c1c2]:53, protocol: Tcp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: true, bind_addr: None }, NameServerConfig { socket_addr: [2a06:98c1:50::ac40:208c]:53, protocol: Udp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: true, bind_addr: None }, NameServerConfig { socket_addr: [2a06:98c1:50::ac40:208c]:53, protocol: Tcp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: true, bind_addr: None }, NameServerConfig { socket_addr: [2803:f800:50::6ca2:c08c]:53, protocol: Udp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: true, bind_addr: None }, NameServerConfig { socket_addr: [2803:f800:50::6ca2:c08c]:53, protocol: Tcp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: true, bind_addr: None }, NameServerConfig { socket_addr: [2606:4700:50::adf5:3a8c]:53, protocol: Udp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: true, bind_addr: None }, NameServerConfig { socket_addr: [2606:4700:50::adf5:3a8c]:53, protocol: Tcp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: true, bind_addr: None }, NameServerConfig { socket_addr: 173.245.59.194:53, protocol: Udp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: true, bind_addr: None }, NameServerConfig { socket_addr: 173.245.59.194:53, protocol: Tcp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: true, bind_addr: None }, NameServerConfig { socket_addr: 108.162.193.194:53, protocol: Udp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: true, bind_addr: None }, NameServerConfig { socket_addr: 108.162.193.194:53, protocol: Tcp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: true, bind_addr: None }, NameServerConfig { socket_addr: 172.64.33.194:53, protocol: Udp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: true, bind_addr: None }, NameServerConfig { socket_addr: 172.64.33.194:53, protocol: Tcp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: true, bind_addr: None }] }
1741988855:INFO:hickory_recursor::recursor_pool:88:querying maxemann96.de. for maxemann96.de. IN DNSKEY
1741988855:DEBUG:hickory_proto::xfer::dns_handle:64:querying: maxemann96.de. DNSKEY
1741988855:DEBUG:hickory_proto::xfer::dns_exchange:186:io_stream is done, shutting down
1741988855:DEBUG:hickory_resolver::name_server::name_server_pool:208:sending request: [Query { name: Name("maxemann96.de."), query_type: DNSKEY, query_class: IN }]
1741988855:DEBUG:hickory_proto::xfer::dns_exchange:186:io_stream is done, shutting down
1741988855:DEBUG:hickory_resolver::name_server::name_server:101:reconnecting: NameServerConfig { socket_addr: [2606:4700:50::adf5:3a8c]:53, protocol: Udp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: true, bind_addr: None }
1741988855:DEBUG:hickory_proto::xfer:168:enqueueing message:QUERY:[Query { name: Name("maxemann96.de."), query_type: DNSKEY, query_class: IN }]
1741988855:DEBUG:hickory_proto::xfer::dns_exchange:186:io_stream is done, shutting down
1741988855:DEBUG:hickory_proto::udp::udp_client_stream:189:final message: ; header 39959:QUERY::NoError:QUERY:0/0/1
; edns version: 0 dnssec_ok: true z_flags: 0 max_payload: 1232 opts: 0
; query
;; maxemann96.de. IN DNSKEY

1741988855:DEBUG:hickory_proto::udp::udp_stream:283:created socket successfully
1741988855:DEBUG:hickory_resolver::name_server::name_server:150:name_server connection failure: io error: Network is unreachable (os error 101) config=NameServerConfig { socket_addr: [2606:4700:50::adf5:3a8c]:53, protocol: Udp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: true, bind_addr: None }
1741988855:DEBUG:hickory_resolver::name_server::name_server:101:reconnecting: NameServerConfig { socket_addr: 173.245.58.140:53, protocol: Udp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: true, bind_addr: None }
1741988855:DEBUG:hickory_proto::xfer:168:enqueueing message:QUERY:[Query { name: Name("maxemann96.de."), query_type: DNSKEY, query_class: IN }]
1741988855:DEBUG:hickory_proto::udp::udp_client_stream:189:final message: ; header 8224:QUERY::NoError:QUERY:0/0/1
; edns version: 0 dnssec_ok: true z_flags: 0 max_payload: 1232 opts: 0
; query
;; maxemann96.de. IN DNSKEY

1741988855:DEBUG:hickory_proto::udp::udp_stream:283:created socket successfully
1741988855:DEBUG:hickory_proto::udp::udp_client_stream:410:received message id: 8224
1741988855:DEBUG:hickory_proto::error:499:response: ; header 8224:RESPONSE:AA:NoError:QUERY:3/0/1
; edns version: 0 dnssec_ok: true z_flags: 0 max_payload: 1232 opts: 0
; query
;; maxemann96.de. IN DNSKEY
; answers 3
maxemann96.de. 3600 IN DNSKEY 257 3 13 mdsswUyr3DPW132mOi8V9xESWE8jTo0dxCjjnopKl+GqJxpVXckHAeF+KkxLbxILfDLUT0rAK9iUzy1L53eKGQ==
maxemann96.de. 3600 IN DNSKEY 256 3 13 oJMRESz5E4gYzS/q6XDrvU1qMPYIjCWzJaOau8XNEZeqCYKD5ar0IRd8KqXXFJkqmVfRvMGPmM1x8fGAa2XhSA==
maxemann96.de. 3600 IN RRSIG DNSKEY ECDSAP256SHA256 2 3600 1745835939 1740565539 2371 maxemann96.de. Le3bJmqQyGqQi1Iybmz2ynyUckVLafT6nvIVGq4ApmnG3U/BiYbSDRcwsdt7dKGgzynTzP3lXvF8SUlmZ2YbYw==
; nameservers 0
; additionals 1

1741988855:INFO:hickory_recursor:91:response: 8224:RESPONSE:AA:NoError:QUERY:3/0/1
1741988855:DEBUG:hickory_proto::dnssec::dnssec_dns_handle:301:validating message_response: 0, with 3 trust_anchors
1741988855:DEBUG:hickory_proto::dnssec::dnssec_dns_handle:399:verifying: maxemann96.de. record_type: DNSKEY, rrsigs: 1
1741988855:DEBUG:hickory_proto::dnssec::dnssec_dns_handle:545:dnskey validation maxemann96.de., record_type: DNSKEY
1741988855:DEBUG:hickory_proto::xfer::dns_handle:64:querying: maxemann96.de. DS
1741988855:DEBUG:hickory_recursor::recursor_dns_handle:421:returning cached pool for de.
1741988855:DEBUG:hickory_recursor::recursor_dns_handle:212:found zone de. for maxemann96.de. IN DS
1741988855:INFO:hickory_recursor::recursor_pool:88:querying de. for maxemann96.de. IN DS
1741988855:DEBUG:hickory_proto::xfer::dns_handle:64:querying: maxemann96.de. DS
1741988855:DEBUG:hickory_resolver::name_server::name_server_pool:208:sending request: [Query { name: Name("maxemann96.de."), query_type: DS, query_class: IN }]
1741988855:DEBUG:hickory_resolver::name_server::name_server:101:reconnecting: NameServerConfig { socket_addr: 194.0.0.53:53, protocol: Udp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: true, bind_addr: None }
1741988855:DEBUG:hickory_proto::xfer:168:enqueueing message:QUERY:[Query { name: Name("maxemann96.de."), query_type: DS, query_class: IN }]
1741988855:DEBUG:hickory_proto::udp::udp_client_stream:189:final message: ; header 23534:QUERY::NoError:QUERY:0/0/1
; edns version: 0 dnssec_ok: true z_flags: 0 max_payload: 1232 opts: 0
; query
;; maxemann96.de. IN DS

1741988855:DEBUG:hickory_proto::udp::udp_stream:283:created socket successfully
1741988855:DEBUG:hickory_proto::udp::udp_client_stream:410:received message id: 23534
1741988855:DEBUG:hickory_proto::error:499:response: ; header 23534:RESPONSE:AA:NoError:QUERY:0/6/1
; edns version: 0 dnssec_ok: true z_flags: 0 max_payload: 1452 opts: 0
; query
;; maxemann96.de. IN DS
; answers 0
; nameservers 6
tjlb7qbojvmlf1s6gdriru7vsms1lg16.de. 7200 IN NSEC3 1 1 15 CA12B74ADB90591A tjlcsjat4ljtvo0tjncrrdf6kf6onefb NS SOA RRSIG DNSKEY NSEC3PARAM
tjlb7qbojvmlf1s6gdriru7vsms1lg16.de. 7200 IN RRSIG NSEC3 RSASHA256 2 7200 1742875922 1741660922 4260 de. g3dejoZYushtr3yq7WpbIxE9TZ//w9R8Sk2VUKaQnqBfD751qefguQA1ePeT+hINSnxn2xTxVoyuuLab3BXeqhlMS974S/XJAmOoFFPnerTrVj2DDFnOl50vzTpg+eUma8BLsx1m9HdbhOta/aMuQwo+3arFXnnPXZQdr2Z+IcQ=
de. 7200 IN SOA f.nic.de. dns-operations.denic.de. 1741988725 7200 7200 3600000 7200
de. 7200 IN RRSIG SOA RSASHA256 1 86400 1743198322 1741983322 4260 de. SgtHW7C6uy7YoElVAGrDvvZqLCky/14ykIRorsKWwM7TJ/pPwlik6jqVvlvNN3rQ2z7mzK2DBcrkXDM7WA1u6yU2yARIGsBzMCGl/xT5wMvoRdTBOzs1/CWDKl3VqRJBeoG6y/DfldzkE0GyNXV+k8EmyJPIQrwtuFMQ1Hriw20=
4t0f1kmjgjv70hds8uk2pqvhm99cmdsj.de. 7200 IN NSEC3 1 1 15 CA12B74ADB90591A 4t0hg0qp0r9bjphla2do1277mc019msp A RRSIG
4t0f1kmjgjv70hds8uk2pqvhm99cmdsj.de. 7200 IN RRSIG NSEC3 RSASHA256 2 7200 1743077572 1741862572 4260 de. V7aIKs1/fcbQyYHPEdPmy8B6vv51cVVQVOMZCXJeEManBHmDMRsSVHXYmUjA28LONYBYuBvOxdf2mJK9ypbGrH1tElv7M0y8lfBZjeZtkZZ789yjioNTQuGU7VtTWAT1QWUEKB3l6TPrnEkSplgPmDCxIwLw75ERvgSXOaFug8I=
; additionals 1

1741988855:WARN:hickory_recursor::recursor_dns_handle:406:lookup error: proto error: no records found for Query { name: Name("maxemann96.de."), query_type: DS, query_class: IN }
1741988855:DEBUG:hickory_proto::dnssec::dnssec_dns_handle:167:translating NoRecordsFound to DnsResponse for maxemann96.de. IN DS
1741988855:DEBUG:hickory_proto::dnssec::dnssec_dns_handle:301:validating message_response: 0, with 3 trust_anchors
1741988855:DEBUG:hickory_proto::dnssec::dnssec_dns_handle:1365:nsec3 proof for maxemann96.de., returning Bogus: no valid servicing wildcard proof
1741988855:DEBUG:hickory_proto::dnssec::dnssec_dns_handle:281:returning Nsec error for maxemann96.de. Bogus
1741988855:DEBUG:hickory_proto::xfer::dns_handle:64:querying: de. DS
1741988855:DEBUG:hickory_proto::dnssec::dnssec_dns_handle:301:validating message_response: 0, with 3 trust_anchors
1741988855:DEBUG:hickory_proto::dnssec::dnssec_dns_handle:399:verifying: de. record_type: DS, rrsigs: 1
1741988855:DEBUG:hickory_proto::xfer::dns_handle:64:querying: . DNSKEY
1741988855:DEBUG:hickory_recursor::recursor_dns_handle:433:using roots for . nameservers
1741988855:INFO:hickory_recursor::recursor_pool:88:querying . for . IN NS
1741988855:DEBUG:hickory_proto::xfer::dns_handle:64:querying: . NS
1741988855:DEBUG:hickory_resolver::name_server::name_server_pool:208:sending request: [Query { name: Name("."), query_type: NS, query_class: IN }]
1741988855:DEBUG:hickory_resolver::name_server::name_server:101:reconnecting: NameServerConfig { socket_addr: 202.12.27.33:53, protocol: Udp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: false, bind_addr: None }
1741988855:DEBUG:hickory_proto::xfer:168:enqueueing message:QUERY:[Query { name: Name("."), query_type: NS, query_class: IN }]
1741988855:DEBUG:hickory_proto::udp::udp_client_stream:189:final message: ; header 59437:QUERY::NoError:QUERY:0/0/1
; edns version: 0 dnssec_ok: true z_flags: 0 max_payload: 1232 opts: 0
; query
;; . IN NS

1741988855:DEBUG:hickory_proto::udp::udp_stream:283:created socket successfully
1741988855:DEBUG:hickory_proto::udp::udp_client_stream:410:received message id: 59437
1741988855:DEBUG:hickory_proto::error:499:response: ; header 59437:RESPONSE:AA:NoError:QUERY:14/0/27
; edns version: 0 dnssec_ok: true z_flags: 0 max_payload: 1232 opts: 0
; query
;; . IN NS
; answers 14
. 518400 IN NS e.root-servers.net.
. 518400 IN NS g.root-servers.net.
. 518400 IN NS i.root-servers.net.
. 518400 IN NS c.root-servers.net.
. 518400 IN NS b.root-servers.net.
. 518400 IN NS a.root-servers.net.
. 518400 IN NS j.root-servers.net.
. 518400 IN NS m.root-servers.net.
. 518400 IN NS d.root-servers.net.
. 518400 IN NS k.root-servers.net.
. 518400 IN NS h.root-servers.net.
. 518400 IN NS f.root-servers.net.
. 518400 IN NS l.root-servers.net.
. 518400 IN RRSIG NS RSASHA256 0 518400 1743094800 1741968000 26470 . RNBi4rY553YVDa8DjWj786NTjL+qEUUAq86K4PMhoU/oqH0R16wJpCXNosD1nR7Zj65Skp0pSqS/RNSx7yfGjSvEaefPSrYcMjeo0Ue/gtET1a1ZIZLH7wUEV/GUHPJ6NzsAgbS0AWyjTZfbcht23EMYIbyu3/cRNoRhQoeyT2idHQmodQgAWsVVCJcuipoR1QFrhM0KQE0dTWq2joQOgyYbq7CVYuC1+InuzZMbdPCFIo2z5d5SnLqAJSb25kwcV04V8u0OCRqGheGu0PebKspR1AqJhCrexsX6682p6WSj1Q3DlFE6F8V+amRxpHciD9/paTDNMvwg0YgUmRPQkw==
; nameservers 0
; additionals 27
m.root-servers.net. 518400 IN A 202.12.27.33
l.root-servers.net. 518400 IN A 199.7.83.42
k.root-servers.net. 518400 IN A 193.0.14.129
j.root-servers.net. 518400 IN A 192.58.128.30
i.root-servers.net. 518400 IN A 192.36.148.17
h.root-servers.net. 518400 IN A 198.97.190.53
g.root-servers.net. 518400 IN A 192.112.36.4
f.root-servers.net. 518400 IN A 192.5.5.241
e.root-servers.net. 518400 IN A 192.203.230.10
d.root-servers.net. 518400 IN A 199.7.91.13
c.root-servers.net. 518400 IN A 192.33.4.12
b.root-servers.net. 518400 IN A 170.247.170.2
a.root-servers.net. 518400 IN A 198.41.0.4
m.root-servers.net. 518400 IN AAAA 2001:dc3::35
l.root-servers.net. 518400 IN AAAA 2001:500:9f::42
k.root-servers.net. 518400 IN AAAA 2001:7fd::1
j.root-servers.net. 518400 IN AAAA 2001:503:c27::2:30
i.root-servers.net. 518400 IN AAAA 2001:7fe::53
h.root-servers.net. 518400 IN AAAA 2001:500:1::53
g.root-servers.net. 518400 IN AAAA 2001:500:12::d0d
f.root-servers.net. 518400 IN AAAA 2001:500:2f::f
e.root-servers.net. 518400 IN AAAA 2001:500:a8::e
d.root-servers.net. 518400 IN AAAA 2001:500:2d::d
c.root-servers.net. 518400 IN AAAA 2001:500:2::c
b.root-servers.net. 518400 IN AAAA 2801:1b8:10::b
a.root-servers.net. 518400 IN AAAA 2001:503:ba3e::2:30

1741988855:INFO:hickory_recursor:91:response: 59437:RESPONSE:AA:NoError:QUERY:14/0/27
1741988855:DEBUG:hickory_recursor::recursor_dns_handle:485:response is not NS: DNSSEC(RRSIG(RRSIG(SIG { type_covered: NS, algorithm: RSASHA256, num_labels: 0, original_ttl: 518400, sig_expiration: 1743094800, sig_inception: 1741968000, key_tag: 26470, signer_name: Name("."), sig: [68, 208, 98, 226, 182, 57, 231, 118, 21, 13, 175, 3, 141, 104, 251, 243, 163, 83, 140, 191, 170, 17, 69, 0, 171, 206, 138, 224, 243, 33, 161, 79, 232, 168, 125, 17, 215, 172, 9, 164, 37, 205, 162, 192, 245, 157, 30, 217, 143, 174, 82, 146, 157, 41, 74, 164, 191, 68, 212, 177, 239, 39, 198, 141, 43, 196, 105, 231, 207, 74, 182, 28, 50, 55, 168, 209, 71, 191, 130, 209, 19, 213, 173, 89, 33, 146, 199, 239, 5, 4, 87, 241, 148, 28, 242, 122, 55, 59, 0, 129, 180, 180, 1, 108, 163, 77, 151, 219, 114, 27, 118, 220, 67, 24, 33, 188, 174, 223, 247, 17, 54, 132, 97, 66, 135, 178, 79, 104, 157, 29, 9, 168, 117, 8, 0, 90, 197, 85, 8, 151, 46, 138, 154, 17, 213, 1, 107, 132, 205, 10, 64, 77, 29, 77, 106, 182, 142, 132, 14, 131, 38, 27, 171, 176, 149, 98, 224, 181, 248, 137, 238, 205, 147, 27, 116, 240, 133, 34, 141, 179, 229, 222, 82, 156, 186, 128, 37, 38, 246, 230, 76, 28, 87, 78, 21, 242, 237, 14, 9, 26, 134, 133, 225, 174, 208, 247, 155, 42, 202, 81, 212, 10, 137, 132, 42, 222, 198, 197, 250, 235, 205, 169, 233, 100, 163, 213, 13, 195, 148, 81, 58, 23, 197, 126, 106, 100, 113, 164, 119, 34, 15, 223, 233, 105, 48, 205, 50, 252, 32, 209, 136, 20, 153, 19, 208, 147] }))); skipping
1741988855:DEBUG:hickory_recursor::recursor_dns_handle:562:found nameservers for .
1741988855:DEBUG:hickory_recursor::recursor_dns_handle:212:found zone . for . IN DNSKEY
1741988855:INFO:hickory_recursor::recursor_pool:88:querying . for . IN DNSKEY
1741988855:DEBUG:hickory_proto::xfer::dns_handle:64:querying: . DNSKEY
1741988855:DEBUG:hickory_resolver::name_server::name_server_pool:208:sending request: [Query { name: Name("."), query_type: DNSKEY, query_class: IN }]
1741988855:DEBUG:hickory_resolver::name_server::name_server:101:reconnecting: NameServerConfig { socket_addr: 192.112.36.4:53, protocol: Udp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: true, bind_addr: None }
1741988855:DEBUG:hickory_proto::xfer:168:enqueueing message:QUERY:[Query { name: Name("."), query_type: DNSKEY, query_class: IN }]
1741988855:DEBUG:hickory_proto::udp::udp_client_stream:189:final message: ; header 5909:QUERY::NoError:QUERY:0/0/1
; edns version: 0 dnssec_ok: true z_flags: 0 max_payload: 1232 opts: 0
; query
;; . IN DNSKEY

1741988855:DEBUG:hickory_proto::udp::udp_stream:283:created socket successfully
1741988855:DEBUG:hickory_proto::udp::udp_client_stream:410:received message id: 5909
1741988855:DEBUG:hickory_proto::error:499:response: ; header 5909:RESPONSE:AA:NoError:QUERY:4/0/1
; edns version: 0 dnssec_ok: true z_flags: 0 max_payload: 1232 opts: 0
; query
;; . IN DNSKEY
; answers 4
. 172800 IN DNSKEY 256 3 8 AwEAAZ5A7jOztf62cGqhPhutjnyl7KBjIsjbyTb8il+FsgbMUbO2NQHaSbatHdlOlqANncDwSIKZ9ryqd1+Dy1PoGzeTUv95vOJnVVJHlJu7xdavnUmPs+Mh2NV7hDlTTwPn5uXgFxAaxoO9M/YIAC92GryCLjoJEg9JzeevkktEM/sFpmRv4I5jQtlLyRqVbnCzcWpi04XaVLxRKvURkd/Mdb/2RQS3MYvrkEBXuqtnAVBCf6Fx4sgBYOfYvbUuG2diLnGJW/MXvFpctZgQ76+3FwMqAZfR9k5bohL7AF3+jqz4MUiootYoh5koyt7VEnUULxxy6U5PINTGgOC26f3zZuk=
. 172800 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=
. 172800 IN DNSKEY 257 3 8 AwEAAa96jeuknZlaeSrvyAJj6ZHv28hhOKkx3rLGXVaC6rXTsDc449/cidltpkyGwCJNnOAlFNKF2jBosZBU5eeHspaQWOmOElZsjICMQMC3aeHbGiShvZsx4wMYSjH8e7Vrhbu6irwCzVBApESjbUdpWWmEnhathWu1jo+siFUiRAAxm9qyJNg/wOZqqzL/dL/q8PkcRU5oUKEpUge71M3ej2/7CPqpdVwuMoTvoB+ZOT4YeGyxMvHmbrxlFzGOHOijtzN+u1TQNatX2XBuzZNQ1K+s2CXkPIZo7s6JgZyvaBevYtxPvYLw4z9mR7K2vaF18UYH9Z9GNUUeayffKC73PYc=
. 172800 IN RRSIG DNSKEY RSASHA256 0 172800 1743552000 1741737600 20326 . joWEhr7Z7AY96Kpp+ioymNlyKtdPDPkzEvGO1tLYsoR0huN6i7rOVBRYQd0HHWdA4RaXiXf7ME5U1qEiuH3xFG3H7BRBwddweL4ubSNVeVo5sk+BSv74uTSpnPcCgUgCxppaY4c9Q6lXOASVGNiyLPG4bMUSbBONXBKRT5vnJss1z30BF47JaFM/OdT+0Zu8oVr8f8KX1hjcm8pZfpoIAnHg2BLsbVCS5iBfmtahqttuyEnJdw0R2ExBXpYNrK6ZR5sSiF5S4lMf66ix4bBl2eecQFWNAsD4H3yksS95JEgXkq4JJduKbn7t7B1aFennfSjC9lT3WZ7O6xuPXb2QLw==
; nameservers 0
; additionals 1

1741988855:INFO:hickory_recursor:91:response: 5909:RESPONSE:AA:NoError:QUERY:4/0/1
1741988855:DEBUG:hickory_proto::dnssec::dnssec_dns_handle:301:validating message_response: 0, with 3 trust_anchors
1741988855:DEBUG:hickory_proto::dnssec::dnssec_dns_handle:399:verifying: . record_type: DNSKEY, rrsigs: 1
1741988855:DEBUG:hickory_proto::dnssec::dnssec_dns_handle:545:dnskey validation ., record_type: DNSKEY
1741988855:DEBUG:hickory_proto::dnssec::dnssec_dns_handle:681:validated dnskey with trust_anchor: ., 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=
1741988855:DEBUG:hickory_proto::dnssec::dnssec_dns_handle:570:ignoring DS lookup for root zone or registered keys
1741988855:DEBUG:hickory_proto::dnssec::dnssec_dns_handle:1114:validated (., DNSKEY) with (., 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=)
1741988855:DEBUG:hickory_proto::dnssec::dnssec_dns_handle:409:verified: . record_type: DNSKEY
1741988855:DEBUG:hickory_proto::dnssec::dnssec_dns_handle:1114:validated (de., DS) with (., 256 3 8 AwEAAZ5A7jOztf62cGqhPhutjnyl7KBjIsjbyTb8il+FsgbMUbO2NQHaSbatHdlOlqANncDwSIKZ9ryqd1+Dy1PoGzeTUv95vOJnVVJHlJu7xdavnUmPs+Mh2NV7hDlTTwPn5uXgFxAaxoO9M/YIAC92GryCLjoJEg9JzeevkktEM/sFpmRv4I5jQtlLyRqVbnCzcWpi04XaVLxRKvURkd/Mdb/2RQS3MYvrkEBXuqtnAVBCf6Fx4sgBYOfYvbUuG2diLnGJW/MXvFpctZgQ76+3FwMqAZfR9k5bohL7AF3+jqz4MUiootYoh5koyt7VEnUULxxy6U5PINTGgOC26f3zZuk=)
1741988855:DEBUG:hickory_proto::dnssec::dnssec_dns_handle:409:verified: de. record_type: DS
1741988855:DEBUG:hickory_proto::dnssec::dnssec_dns_handle:417:failed to verify: maxemann96.de. record_type: DNSKEY: ds record should exist: maxemann96.de.
1741988855:DEBUG:hickory_proto::dnssec::dnssec_dns_handle:417:failed to verify: maxemann96.de. record_type: MX: rrsigs were not able to be verified: maxemann96.de., type: MX
1741988855:INFO:hickory_recursor:91:response: 0:QUERY::NoError:QUERY:0/0/0
1741988855:DEBUG:hickory_server::server::response_handler:107:response: 58593 response_code: Server Failure
1741988855:INFO:hickory_server::server::server_future:865:request:58593 src:udp://127.0.0.1#53450 QUERY qflags:RD,AD response:ServFail rr:0/0/1 rflags:RD,RA
1741988855:INFO:hickory_server::server::server_future:880:query:maxemann96.de.:MX:IN

The line nsec3 proof for maxemann96.de., returning Bogus: no valid servicing wildcard proof looks suspicious. Note that we already have recursor conformance tests covering insecure zones that nevertheless include DNSKEY record, see resolver::dnssec::scenarios::insecure::no_ds_record_nsec3 etc. I tried querying DS maxemann96.de, and Hickory DNS returns SERVFAIL for that as well. Here's what Google Public DNS returns, FWIW.

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38665
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;maxemann96.de.			IN	DS

;; AUTHORITY SECTION:
de.			1800	IN	SOA	f.nic.de. dns-operations.denic.de. 1741990494 7200 7200 3600000 7200
de.			1800	IN	RRSIG	SOA 8 1 86400 20250328221451 20250314204451 4260 de. hhntj4t33aLEfFknlY1BJEPsz8qGhK2m+3VicZRtJSV6Cye0vw1i6wJN 2089jwiM0Eb1ImUSpZ6Zl+8El392HNqHOa3h+600QtYSUh1xYn9vM6fQ 52Oo9xa+hWsniwGV4PYX4iOGlLmhe0U+ckCnlcXLe7/+yqYr9TYMpTF6 oIo=
tjlb7qbojvmlf1s6gdriru7vsms1lg16.de. 7200 IN NSEC3 1 1 15 CA12B74ADB90591A TJLCSJAT4LJTVO0TJNCRRDF6KF6ONEFB NS SOA RRSIG DNSKEY NSEC3PARAM
tjlb7qbojvmlf1s6gdriru7vsms1lg16.de. 7200 IN RRSIG NSEC3 8 2 7200 20250325041202 20250311024202 4260 de. g3dejoZYushtr3yq7WpbIxE9TZ//w9R8Sk2VUKaQnqBfD751qefguQA1 ePeT+hINSnxn2xTxVoyuuLab3BXeqhlMS974S/XJAmOoFFPnerTrVj2D DFnOl50vzTpg+eUma8BLsx1m9HdbhOta/aMuQwo+3arFXnnPXZQdr2Z+ IcQ=
4t0f1kmjgjv70hds8uk2pqvhm99cmdsj.de. 7200 IN NSEC3 1 1 15 CA12B74ADB90591A 4T0HG0QP0R9BJPHLA2DO1277MC019MSP A RRSIG
4t0f1kmjgjv70hds8uk2pqvhm99cmdsj.de. 7200 IN RRSIG NSEC3 8 2 7200 20250327121252 20250313104252 4260 de. V7aIKs1/fcbQyYHPEdPmy8B6vv51cVVQVOMZCXJeEManBHmDMRsSVHXY mUjA28LONYBYuBvOxdf2mJK9ypbGrH1tElv7M0y8lfBZjeZtkZZ789yj ioNTQuGU7VtTWAT1QWUEKB3l6TPrnEkSplgPmDCxIwLw75ERvgSXOaFu g8I=

<!-- gh-comment-id:2725900250 --> @divergentdave commented on GitHub (Mar 14, 2025): I can also reproduce this issue with the validating recursor. Here are some debug-level logs from this query. <details><summary>Logs</summary> ``` 1741988855:DEBUG:hickory_proto::udp::udp_client_stream:410:received message id: 5169 1741988855:DEBUG:hickory_proto::error:499:response: ; header 5169:RESPONSE:AA:NoError:QUERY:2/0/1 ; edns version: 0 dnssec_ok: true z_flags: 0 max_payload: 1232 opts: 0 ; query ;; maxemann96.de. IN MX ; answers 2 maxemann96.de. 300 IN MX 10 mail.maxemann96.de. maxemann96.de. 300 IN RRSIG MX ECDSAP256SHA256 2 300 1742078855 1741898855 34505 maxemann96.de. Aq6Mk3DymA+hi7uV+zeLQoq0KzzaMd0F7ieLNFvXl6/pnhcq6nMCRse9oePLlRXxDueZ0R27YiStbxFdJXG12w== ; nameservers 0 ; additionals 1 1741988855:INFO:hickory_recursor:91:response: 5169:RESPONSE:AA:NoError:QUERY:2/0/1 1741988855:DEBUG:hickory_proto::dnssec::dnssec_dns_handle:301:validating message_response: 0, with 3 trust_anchors 1741988855:DEBUG:hickory_proto::dnssec::dnssec_dns_handle:399:verifying: maxemann96.de. record_type: MX, rrsigs: 1 1741988855:DEBUG:hickory_proto::xfer::dns_handle:64:querying: maxemann96.de. DNSKEY 1741988855:DEBUG:hickory_recursor::recursor_dns_handle:421:returning cached pool for de. 1741988855:DEBUG:hickory_recursor::recursor_dns_handle:212:found zone de. for maxemann96.de. IN DNSKEY 1741988855:INFO:hickory_recursor::recursor_pool:88:querying de. for maxemann96.de. IN DNSKEY 1741988855:DEBUG:hickory_proto::xfer::dns_handle:64:querying: maxemann96.de. DNSKEY 1741988855:DEBUG:hickory_resolver::name_server::name_server_pool:208:sending request: [Query { name: Name("maxemann96.de."), query_type: DNSKEY, query_class: IN }] 1741988855:DEBUG:hickory_resolver::name_server::name_server:101:reconnecting: NameServerConfig { socket_addr: 195.243.137.26:53, protocol: Udp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: true, bind_addr: None } 1741988855:DEBUG:hickory_proto::xfer:168:enqueueing message:QUERY:[Query { name: Name("maxemann96.de."), query_type: DNSKEY, query_class: IN }] 1741988855:DEBUG:hickory_proto::udp::udp_client_stream:189:final message: ; header 20387:QUERY::NoError:QUERY:0/0/1 ; edns version: 0 dnssec_ok: true z_flags: 0 max_payload: 1232 opts: 0 ; query ;; maxemann96.de. IN DNSKEY 1741988855:DEBUG:hickory_proto::udp::udp_stream:283:created socket successfully 1741988855:DEBUG:hickory_proto::udp::udp_client_stream:410:received message id: 20387 1741988855:DEBUG:hickory_proto::error:499:response: ; header 20387:RESPONSE::NoError:QUERY:0/6/1 ; edns version: 0 dnssec_ok: true z_flags: 0 max_payload: 1452 opts: 0 ; query ;; maxemann96.de. IN DNSKEY ; answers 0 ; nameservers 6 maxemann96.de. 86400 IN NS rita.ns.cloudflare.com. maxemann96.de. 86400 IN NS lakas.ns.cloudflare.com. tjlb7qbojvmlf1s6gdriru7vsms1lg16.de. 7200 IN NSEC3 1 1 15 CA12B74ADB90591A tjlcsjat4ljtvo0tjncrrdf6kf6onefb NS SOA RRSIG DNSKEY NSEC3PARAM 4t0f1kmjgjv70hds8uk2pqvhm99cmdsj.de. 7200 IN NSEC3 1 1 15 CA12B74ADB90591A 4t0hg0qp0r9bjphla2do1277mc019msp A RRSIG tjlb7qbojvmlf1s6gdriru7vsms1lg16.de. 7200 IN RRSIG NSEC3 RSASHA256 2 7200 1742875922 1741660922 4260 de. g3dejoZYushtr3yq7WpbIxE9TZ//w9R8Sk2VUKaQnqBfD751qefguQA1ePeT+hINSnxn2xTxVoyuuLab3BXeqhlMS974S/XJAmOoFFPnerTrVj2DDFnOl50vzTpg+eUma8BLsx1m9HdbhOta/aMuQwo+3arFXnnPXZQdr2Z+IcQ= 4t0f1kmjgjv70hds8uk2pqvhm99cmdsj.de. 7200 IN RRSIG NSEC3 RSASHA256 2 7200 1743077572 1741862572 4260 de. V7aIKs1/fcbQyYHPEdPmy8B6vv51cVVQVOMZCXJeEManBHmDMRsSVHXYmUjA28LONYBYuBvOxdf2mJK9ypbGrH1tElv7M0y8lfBZjeZtkZZ789yjioNTQuGU7VtTWAT1QWUEKB3l6TPrnEkSplgPmDCxIwLw75ERvgSXOaFug8I= ; additionals 1 1741988855:WARN:hickory_recursor::recursor_dns_handle:406:lookup error: proto error: no records found for Query { name: Name("maxemann96.de."), query_type: DNSKEY, query_class: IN } 1741988855:DEBUG:hickory_recursor::recursor_dns_handle:245:ns for maxemann96.de. forwarded via NS records 1741988855:DEBUG:hickory_recursor::recursor_dns_handle:649:ns_pool_for_referral glue not found for maxemann96.de. 86400 IN NS rita.ns.cloudflare.com. 1741988855:DEBUG:hickory_recursor::recursor_dns_handle:649:ns_pool_for_referral glue not found for maxemann96.de. 86400 IN NS lakas.ns.cloudflare.com. 1741988855:DEBUG:hickory_recursor::recursor_dns_handle:658:ns_pool_for_referral need glue for maxemann96.de. 1741988855:DEBUG:hickory_recursor::recursor_dns_handle:421:returning cached pool for maxemann96.de. 1741988855:DEBUG:hickory_recursor::recursor_dns_handle:421:returning cached pool for rita.ns.cloudflare.com. 1741988855:DEBUG:hickory_recursor::recursor_dns_handle:421:returning cached pool for lakas.ns.cloudflare.com. 1741988855:INFO:hickory_recursor::recursor_pool:88:querying rita.ns.cloudflare.com. for rita.ns.cloudflare.com. IN A 1741988855:DEBUG:hickory_proto::xfer::dns_handle:64:querying: rita.ns.cloudflare.com. A 1741988855:DEBUG:hickory_resolver::name_server::name_server_pool:208:sending request: [Query { name: Name("rita.ns.cloudflare.com."), query_type: A, query_class: IN }] 1741988855:DEBUG:hickory_resolver::name_server::name_server:101:reconnecting: NameServerConfig { socket_addr: 162.159.5.6:53, protocol: Udp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: true, bind_addr: None } 1741988855:DEBUG:hickory_proto::xfer:168:enqueueing message:QUERY:[Query { name: Name("rita.ns.cloudflare.com."), query_type: A, query_class: IN }] 1741988855:INFO:hickory_recursor::recursor_pool:88:querying rita.ns.cloudflare.com. for rita.ns.cloudflare.com. IN AAAA 1741988855:DEBUG:hickory_proto::xfer::dns_handle:64:querying: rita.ns.cloudflare.com. AAAA 1741988855:DEBUG:hickory_resolver::name_server::name_server_pool:208:sending request: [Query { name: Name("rita.ns.cloudflare.com."), query_type: AAAA, query_class: IN }] 1741988855:DEBUG:hickory_resolver::name_server::name_server:115:existing connection: NameServerConfig { socket_addr: 162.159.5.6:53, protocol: Udp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: true, bind_addr: None } 1741988855:DEBUG:hickory_proto::xfer:168:enqueueing message:QUERY:[Query { name: Name("rita.ns.cloudflare.com."), query_type: AAAA, query_class: IN }] 1741988855:DEBUG:hickory_proto::udp::udp_client_stream:189:final message: ; header 34241:QUERY::NoError:QUERY:0/0/1 ; edns version: 0 dnssec_ok: true z_flags: 0 max_payload: 1232 opts: 0 ; query ;; rita.ns.cloudflare.com. IN A 1741988855:DEBUG:hickory_proto::udp::udp_client_stream:189:final message: ; header 58927:QUERY::NoError:QUERY:0/0/1 ; edns version: 0 dnssec_ok: true z_flags: 0 max_payload: 1232 opts: 0 ; query ;; rita.ns.cloudflare.com. IN AAAA 1741988855:INFO:hickory_recursor::recursor_pool:88:querying lakas.ns.cloudflare.com. for lakas.ns.cloudflare.com. IN A 1741988855:DEBUG:hickory_proto::xfer::dns_handle:64:querying: lakas.ns.cloudflare.com. A 1741988855:DEBUG:hickory_resolver::name_server::name_server_pool:208:sending request: [Query { name: Name("lakas.ns.cloudflare.com."), query_type: A, query_class: IN }] 1741988855:DEBUG:hickory_resolver::name_server::name_server:101:reconnecting: NameServerConfig { socket_addr: [2400:cb00:2049:1::a29f:121]:53, protocol: Udp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: true, bind_addr: None } 1741988855:DEBUG:hickory_proto::xfer:168:enqueueing message:QUERY:[Query { name: Name("lakas.ns.cloudflare.com."), query_type: A, query_class: IN }] 1741988855:INFO:hickory_recursor::recursor_pool:88:querying lakas.ns.cloudflare.com. for lakas.ns.cloudflare.com. IN AAAA 1741988855:DEBUG:hickory_proto::xfer::dns_handle:64:querying: lakas.ns.cloudflare.com. AAAA 1741988855:DEBUG:hickory_resolver::name_server::name_server_pool:208:sending request: [Query { name: Name("lakas.ns.cloudflare.com."), query_type: AAAA, query_class: IN }] 1741988855:DEBUG:hickory_resolver::name_server::name_server:115:existing connection: NameServerConfig { socket_addr: [2400:cb00:2049:1::a29f:121]:53, protocol: Udp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: true, bind_addr: None } 1741988855:DEBUG:hickory_proto::xfer:168:enqueueing message:QUERY:[Query { name: Name("lakas.ns.cloudflare.com."), query_type: AAAA, query_class: IN }] 1741988855:DEBUG:hickory_proto::udp::udp_client_stream:189:final message: ; header 28392:QUERY::NoError:QUERY:0/0/1 ; edns version: 0 dnssec_ok: true z_flags: 0 max_payload: 1232 opts: 0 ; query ;; lakas.ns.cloudflare.com. IN A 1741988855:DEBUG:hickory_proto::udp::udp_client_stream:189:final message: ; header 41689:QUERY::NoError:QUERY:0/0/1 ; edns version: 0 dnssec_ok: true z_flags: 0 max_payload: 1232 opts: 0 ; query ;; lakas.ns.cloudflare.com. IN AAAA 1741988855:DEBUG:hickory_proto::udp::udp_stream:283:created socket successfully 1741988855:DEBUG:hickory_proto::udp::udp_stream:283:created socket successfully 1741988855:DEBUG:hickory_proto::udp::udp_stream:283:created socket successfully 1741988855:DEBUG:hickory_resolver::name_server::name_server:150:name_server connection failure: io error: Network is unreachable (os error 101) config=NameServerConfig { socket_addr: [2400:cb00:2049:1::a29f:121]:53, protocol: Udp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: true, bind_addr: None } 1741988855:DEBUG:hickory_resolver::name_server::name_server:101:reconnecting: NameServerConfig { socket_addr: 162.159.6.6:53, protocol: Udp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: true, bind_addr: None } 1741988855:DEBUG:hickory_proto::xfer:168:enqueueing message:QUERY:[Query { name: Name("lakas.ns.cloudflare.com."), query_type: A, query_class: IN }] 1741988855:DEBUG:hickory_proto::udp::udp_stream:283:created socket successfully 1741988855:DEBUG:hickory_resolver::name_server::name_server:150:name_server connection failure: io error: Network is unreachable (os error 101) config=NameServerConfig { socket_addr: [2400:cb00:2049:1::a29f:121]:53, protocol: Udp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: true, bind_addr: None } 1741988855:DEBUG:hickory_resolver::name_server::name_server:115:existing connection: NameServerConfig { socket_addr: 162.159.6.6:53, protocol: Udp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: true, bind_addr: None } 1741988855:DEBUG:hickory_proto::xfer:168:enqueueing message:QUERY:[Query { name: Name("lakas.ns.cloudflare.com."), query_type: AAAA, query_class: IN }] 1741988855:DEBUG:hickory_proto::udp::udp_client_stream:189:final message: ; header 5387:QUERY::NoError:QUERY:0/0/1 ; edns version: 0 dnssec_ok: true z_flags: 0 max_payload: 1232 opts: 0 ; query ;; lakas.ns.cloudflare.com. IN A 1741988855:DEBUG:hickory_proto::udp::udp_client_stream:189:final message: ; header 38959:QUERY::NoError:QUERY:0/0/1 ; edns version: 0 dnssec_ok: true z_flags: 0 max_payload: 1232 opts: 0 ; query ;; lakas.ns.cloudflare.com. IN AAAA 1741988855:DEBUG:hickory_proto::udp::udp_stream:283:created socket successfully 1741988855:DEBUG:hickory_proto::udp::udp_stream:283:created socket successfully 1741988855:DEBUG:hickory_proto::udp::udp_client_stream:410:received message id: 34241 1741988855:DEBUG:hickory_proto::error:499:response: ; header 34241:RESPONSE:AA:NoError:QUERY:4/0/1 ; edns version: 0 dnssec_ok: true z_flags: 0 max_payload: 1232 opts: 0 ; query ;; rita.ns.cloudflare.com. IN A ; answers 4 rita.ns.cloudflare.com. 86353 IN A 108.162.192.140 rita.ns.cloudflare.com. 86353 IN A 173.245.58.140 rita.ns.cloudflare.com. 86353 IN A 172.64.32.140 rita.ns.cloudflare.com. 86353 IN RRSIG A ECDSAP256SHA256 4 86353 1742078855 1741898855 34505 cloudflare.com. eM1KbxfhNi4c36JVTMOf0mbcLf/nuFyr715stGwjnV64Yh9ZHQP8ssFox/C3jj2c5GZ5vVrT59wK3tR51Oj52g== ; nameservers 0 ; additionals 1 1741988855:DEBUG:hickory_recursor::recursor_dns_handle:755:append_ips_from_lookup: A or AAAA response: DnsResponse { message: Message { header: Header { id: 34241, message_type: Response, op_code: Query, authoritative: true, truncation: false, recursion_desired: false, recursion_available: false, authentic_data: false, checking_disabled: false, response_code: NoError, query_count: 1, answer_count: 4, name_server_count: 0, additional_count: 1 }, queries: [Query { name: Name("rita.ns.cloudflare.com."), query_type: A, query_class: IN }], answers: [Record { name_labels: Name("rita.ns.cloudflare.com."), dns_class: IN, ttl: 86353, rdata: A(A(108.162.192.140)), proof: Indeterminate }, Record { name_labels: Name("rita.ns.cloudflare.com."), dns_class: IN, ttl: 86353, rdata: A(A(173.245.58.140)), proof: Indeterminate }, Record { name_labels: Name("rita.ns.cloudflare.com."), dns_class: IN, ttl: 86353, rdata: A(A(172.64.32.140)), proof: Indeterminate }, Record { name_labels: Name("rita.ns.cloudflare.com."), dns_class: IN, ttl: 86353, rdata: DNSSEC(RRSIG(RRSIG(SIG { type_covered: A, algorithm: ECDSAP256SHA256, num_labels: 4, original_ttl: 86353, sig_expiration: 1742078855, sig_inception: 1741898855, key_tag: 34505, signer_name: Name("cloudflare.com."), sig: [120, 205, 74, 111, 23, 225, 54, 46, 28, 223, 162, 85, 76, 195, 159, 210, 102, 220, 45, 255, 231, 184, 92, 171, 239, 94, 108, 180, 108, 35, 157, 94, 184, 98, 31, 89, 29, 3, 252, 178, 193, 104, 199, 240, 183, 142, 61, 156, 228, 102, 121, 189, 90, 211, 231, 220, 10, 222, 212, 121, 212, 232, 249, 218] }))), proof: Indeterminate }], name_servers: [], additionals: [], signature: [], edns: Some(Edns { rcode_high: 0, version: 0, flags: EdnsFlags { dnssec_ok: true, z: 0 }, max_payload: 1232, options: OPT { options: [] } }) }, buffer: [133, 193, 132, 0, 0, 1, 0, 4, 0, 0, 0, 1, 4, 114, 105, 116, 97, 2, 110, 115, 10, 99, 108, 111, 117, 100, 102, 108, 97, 114, 101, 3, 99, 111, 109, 0, 0, 1, 0, 1, 192, 12, 0, 1, 0, 1, 0, 1, 81, 81, 0, 4, 108, 162, 192, 140, 192, 12, 0, 1, 0, 1, 0, 1, 81, 81, 0, 4, 173, 245, 58, 140, 192, 12, 0, 1, 0, 1, 0, 1, 81, 81, 0, 4, 172, 64, 32, 140, 192, 12, 0, 46, 0, 1, 0, 1, 81, 81, 0, 98, 0, 1, 13, 4, 0, 1, 81, 81, 103, 214, 3, 135, 103, 211, 68, 103, 134, 201, 10, 99, 108, 111, 117, 100, 102, 108, 97, 114, 101, 3, 99, 111, 109, 0, 120, 205, 74, 111, 23, 225, 54, 46, 28, 223, 162, 85, 76, 195, 159, 210, 102, 220, 45, 255, 231, 184, 92, 171, 239, 94, 108, 180, 108, 35, 157, 94, 184, 98, 31, 89, 29, 3, 252, 178, 193, 104, 199, 240, 183, 142, 61, 156, 228, 102, 121, 189, 90, 211, 231, 220, 10, 222, 212, 121, 212, 232, 249, 218, 0, 0, 41, 4, 208, 0, 0, 128, 0, 0, 0] } 1741988855:DEBUG:hickory_proto::udp::udp_client_stream:410:received message id: 38959 1741988855:DEBUG:hickory_proto::error:499:response: ; header 38959:RESPONSE:AA:NoError:QUERY:4/0/1 ; edns version: 0 dnssec_ok: true z_flags: 0 max_payload: 1232 opts: 0 ; query ;; lakas.ns.cloudflare.com. IN AAAA ; answers 4 lakas.ns.cloudflare.com. 86353 IN AAAA 2a06:98c1:50::ac40:21c2 lakas.ns.cloudflare.com. 86353 IN AAAA 2606:4700:58::adf5:3bc2 lakas.ns.cloudflare.com. 86353 IN AAAA 2803:f800:50::6ca2:c1c2 lakas.ns.cloudflare.com. 86353 IN RRSIG AAAA ECDSAP256SHA256 4 86353 1742078855 1741898855 34505 cloudflare.com. SPxEK1QkO7vFSsHxEYj4O4ArWhmELVD9eQ5FBc56jxpBDYZAXx+g4Lx/EAdVHVpfw0Ny4A45Ao6WZRl5J/bgSw== ; nameservers 0 ; additionals 1 1741988855:DEBUG:hickory_recursor::recursor_dns_handle:755:append_ips_from_lookup: A or AAAA response: DnsResponse { message: Message { header: Header { id: 38959, message_type: Response, op_code: Query, authoritative: true, truncation: false, recursion_desired: false, recursion_available: false, authentic_data: false, checking_disabled: false, response_code: NoError, query_count: 1, answer_count: 4, name_server_count: 0, additional_count: 1 }, queries: [Query { name: Name("lakas.ns.cloudflare.com."), query_type: AAAA, query_class: IN }], answers: [Record { name_labels: Name("lakas.ns.cloudflare.com."), dns_class: IN, ttl: 86353, rdata: AAAA(AAAA(2a06:98c1:50::ac40:21c2)), proof: Indeterminate }, Record { name_labels: Name("lakas.ns.cloudflare.com."), dns_class: IN, ttl: 86353, rdata: AAAA(AAAA(2606:4700:58::adf5:3bc2)), proof: Indeterminate }, Record { name_labels: Name("lakas.ns.cloudflare.com."), dns_class: IN, ttl: 86353, rdata: AAAA(AAAA(2803:f800:50::6ca2:c1c2)), proof: Indeterminate }, Record { name_labels: Name("lakas.ns.cloudflare.com."), dns_class: IN, ttl: 86353, rdata: DNSSEC(RRSIG(RRSIG(SIG { type_covered: AAAA, algorithm: ECDSAP256SHA256, num_labels: 4, original_ttl: 86353, sig_expiration: 1742078855, sig_inception: 1741898855, key_tag: 34505, signer_name: Name("cloudflare.com."), sig: [72, 252, 68, 43, 84, 36, 59, 187, 197, 74, 193, 241, 17, 136, 248, 59, 128, 43, 90, 25, 132, 45, 80, 253, 121, 14, 69, 5, 206, 122, 143, 26, 65, 13, 134, 64, 95, 31, 160, 224, 188, 127, 16, 7, 85, 29, 90, 95, 195, 67, 114, 224, 14, 57, 2, 142, 150, 101, 25, 121, 39, 246, 224, 75] }))), proof: Indeterminate }], name_servers: [], additionals: [], signature: [], edns: Some(Edns { rcode_high: 0, version: 0, flags: EdnsFlags { dnssec_ok: true, z: 0 }, max_payload: 1232, options: OPT { options: [] } }) }, buffer: [152, 47, 132, 0, 0, 1, 0, 4, 0, 0, 0, 1, 5, 108, 97, 107, 97, 115, 2, 110, 115, 10, 99, 108, 111, 117, 100, 102, 108, 97, 114, 101, 3, 99, 111, 109, 0, 0, 28, 0, 1, 192, 12, 0, 28, 0, 1, 0, 1, 81, 81, 0, 16, 42, 6, 152, 193, 0, 80, 0, 0, 0, 0, 0, 0, 172, 64, 33, 194, 192, 12, 0, 28, 0, 1, 0, 1, 81, 81, 0, 16, 38, 6, 71, 0, 0, 88, 0, 0, 0, 0, 0, 0, 173, 245, 59, 194, 192, 12, 0, 28, 0, 1, 0, 1, 81, 81, 0, 16, 40, 3, 248, 0, 0, 80, 0, 0, 0, 0, 0, 0, 108, 162, 193, 194, 192, 12, 0, 46, 0, 1, 0, 1, 81, 81, 0, 98, 0, 28, 13, 4, 0, 1, 81, 81, 103, 214, 3, 135, 103, 211, 68, 103, 134, 201, 10, 99, 108, 111, 117, 100, 102, 108, 97, 114, 101, 3, 99, 111, 109, 0, 72, 252, 68, 43, 84, 36, 59, 187, 197, 74, 193, 241, 17, 136, 248, 59, 128, 43, 90, 25, 132, 45, 80, 253, 121, 14, 69, 5, 206, 122, 143, 26, 65, 13, 134, 64, 95, 31, 160, 224, 188, 127, 16, 7, 85, 29, 90, 95, 195, 67, 114, 224, 14, 57, 2, 142, 150, 101, 25, 121, 39, 246, 224, 75, 0, 0, 41, 4, 208, 0, 0, 128, 0, 0, 0] } 1741988855:DEBUG:hickory_proto::udp::udp_client_stream:410:received message id: 58927 1741988855:DEBUG:hickory_proto::error:499:response: ; header 58927:RESPONSE:AA:NoError:QUERY:4/0/1 ; edns version: 0 dnssec_ok: true z_flags: 0 max_payload: 1232 opts: 0 ; query ;; rita.ns.cloudflare.com. IN AAAA ; answers 4 rita.ns.cloudflare.com. 86353 IN AAAA 2a06:98c1:50::ac40:208c rita.ns.cloudflare.com. 86353 IN AAAA 2803:f800:50::6ca2:c08c rita.ns.cloudflare.com. 86353 IN AAAA 2606:4700:50::adf5:3a8c rita.ns.cloudflare.com. 86353 IN RRSIG AAAA ECDSAP256SHA256 4 86353 1742078855 1741898855 34505 cloudflare.com. F0SriKvgsqZtYq8Loucy/qn1Yf2WdkypmNbJ6Vu5JC0a4yfQy2MRODIj0+iVUoUmTYXWhwjzuzwLMkGG0wxv4Q== ; nameservers 0 ; additionals 1 1741988855:DEBUG:hickory_recursor::recursor_dns_handle:755:append_ips_from_lookup: A or AAAA response: DnsResponse { message: Message { header: Header { id: 58927, message_type: Response, op_code: Query, authoritative: true, truncation: false, recursion_desired: false, recursion_available: false, authentic_data: false, checking_disabled: false, response_code: NoError, query_count: 1, answer_count: 4, name_server_count: 0, additional_count: 1 }, queries: [Query { name: Name("rita.ns.cloudflare.com."), query_type: AAAA, query_class: IN }], answers: [Record { name_labels: Name("rita.ns.cloudflare.com."), dns_class: IN, ttl: 86353, rdata: AAAA(AAAA(2a06:98c1:50::ac40:208c)), proof: Indeterminate }, Record { name_labels: Name("rita.ns.cloudflare.com."), dns_class: IN, ttl: 86353, rdata: AAAA(AAAA(2803:f800:50::6ca2:c08c)), proof: Indeterminate }, Record { name_labels: Name("rita.ns.cloudflare.com."), dns_class: IN, ttl: 86353, rdata: AAAA(AAAA(2606:4700:50::adf5:3a8c)), proof: Indeterminate }, Record { name_labels: Name("rita.ns.cloudflare.com."), dns_class: IN, ttl: 86353, rdata: DNSSEC(RRSIG(RRSIG(SIG { type_covered: AAAA, algorithm: ECDSAP256SHA256, num_labels: 4, original_ttl: 86353, sig_expiration: 1742078855, sig_inception: 1741898855, key_tag: 34505, signer_name: Name("cloudflare.com."), sig: [23, 68, 171, 136, 171, 224, 178, 166, 109, 98, 175, 11, 162, 231, 50, 254, 169, 245, 97, 253, 150, 118, 76, 169, 152, 214, 201, 233, 91, 185, 36, 45, 26, 227, 39, 208, 203, 99, 17, 56, 50, 35, 211, 232, 149, 82, 133, 38, 77, 133, 214, 135, 8, 243, 187, 60, 11, 50, 65, 134, 211, 12, 111, 225] }))), proof: Indeterminate }], name_servers: [], additionals: [], signature: [], edns: Some(Edns { rcode_high: 0, version: 0, flags: EdnsFlags { dnssec_ok: true, z: 0 }, max_payload: 1232, options: OPT { options: [] } }) }, buffer: [230, 47, 132, 0, 0, 1, 0, 4, 0, 0, 0, 1, 4, 114, 105, 116, 97, 2, 110, 115, 10, 99, 108, 111, 117, 100, 102, 108, 97, 114, 101, 3, 99, 111, 109, 0, 0, 28, 0, 1, 192, 12, 0, 28, 0, 1, 0, 1, 81, 81, 0, 16, 42, 6, 152, 193, 0, 80, 0, 0, 0, 0, 0, 0, 172, 64, 32, 140, 192, 12, 0, 28, 0, 1, 0, 1, 81, 81, 0, 16, 40, 3, 248, 0, 0, 80, 0, 0, 0, 0, 0, 0, 108, 162, 192, 140, 192, 12, 0, 28, 0, 1, 0, 1, 81, 81, 0, 16, 38, 6, 71, 0, 0, 80, 0, 0, 0, 0, 0, 0, 173, 245, 58, 140, 192, 12, 0, 46, 0, 1, 0, 1, 81, 81, 0, 98, 0, 28, 13, 4, 0, 1, 81, 81, 103, 214, 3, 135, 103, 211, 68, 103, 134, 201, 10, 99, 108, 111, 117, 100, 102, 108, 97, 114, 101, 3, 99, 111, 109, 0, 23, 68, 171, 136, 171, 224, 178, 166, 109, 98, 175, 11, 162, 231, 50, 254, 169, 245, 97, 253, 150, 118, 76, 169, 152, 214, 201, 233, 91, 185, 36, 45, 26, 227, 39, 208, 203, 99, 17, 56, 50, 35, 211, 232, 149, 82, 133, 38, 77, 133, 214, 135, 8, 243, 187, 60, 11, 50, 65, 134, 211, 12, 111, 225, 0, 0, 41, 4, 208, 0, 0, 128, 0, 0, 0] } 1741988855:DEBUG:hickory_proto::udp::udp_client_stream:410:received message id: 5387 1741988855:DEBUG:hickory_proto::error:499:response: ; header 5387:RESPONSE:AA:NoError:QUERY:4/0/1 ; edns version: 0 dnssec_ok: true z_flags: 0 max_payload: 1232 opts: 0 ; query ;; lakas.ns.cloudflare.com. IN A ; answers 4 lakas.ns.cloudflare.com. 86353 IN A 173.245.59.194 lakas.ns.cloudflare.com. 86353 IN A 108.162.193.194 lakas.ns.cloudflare.com. 86353 IN A 172.64.33.194 lakas.ns.cloudflare.com. 86353 IN RRSIG A ECDSAP256SHA256 4 86353 1742078855 1741898855 34505 cloudflare.com. 59GvtV+Q0Evh9TXw2p+VUYOI0nFi3o1Bnjl/e3Rso8tpWSq4izbWrpCqMgFfIj+3m4OnKQl0Ds6SE+BaJ7HiTg== ; nameservers 0 ; additionals 1 1741988855:DEBUG:hickory_recursor::recursor_dns_handle:755:append_ips_from_lookup: A or AAAA response: DnsResponse { message: Message { header: Header { id: 5387, message_type: Response, op_code: Query, authoritative: true, truncation: false, recursion_desired: false, recursion_available: false, authentic_data: false, checking_disabled: false, response_code: NoError, query_count: 1, answer_count: 4, name_server_count: 0, additional_count: 1 }, queries: [Query { name: Name("lakas.ns.cloudflare.com."), query_type: A, query_class: IN }], answers: [Record { name_labels: Name("lakas.ns.cloudflare.com."), dns_class: IN, ttl: 86353, rdata: A(A(173.245.59.194)), proof: Indeterminate }, Record { name_labels: Name("lakas.ns.cloudflare.com."), dns_class: IN, ttl: 86353, rdata: A(A(108.162.193.194)), proof: Indeterminate }, Record { name_labels: Name("lakas.ns.cloudflare.com."), dns_class: IN, ttl: 86353, rdata: A(A(172.64.33.194)), proof: Indeterminate }, Record { name_labels: Name("lakas.ns.cloudflare.com."), dns_class: IN, ttl: 86353, rdata: DNSSEC(RRSIG(RRSIG(SIG { type_covered: A, algorithm: ECDSAP256SHA256, num_labels: 4, original_ttl: 86353, sig_expiration: 1742078855, sig_inception: 1741898855, key_tag: 34505, signer_name: Name("cloudflare.com."), sig: [231, 209, 175, 181, 95, 144, 208, 75, 225, 245, 53, 240, 218, 159, 149, 81, 131, 136, 210, 113, 98, 222, 141, 65, 158, 57, 127, 123, 116, 108, 163, 203, 105, 89, 42, 184, 139, 54, 214, 174, 144, 170, 50, 1, 95, 34, 63, 183, 155, 131, 167, 41, 9, 116, 14, 206, 146, 19, 224, 90, 39, 177, 226, 78] }))), proof: Indeterminate }], name_servers: [], additionals: [], signature: [], edns: Some(Edns { rcode_high: 0, version: 0, flags: EdnsFlags { dnssec_ok: true, z: 0 }, max_payload: 1232, options: OPT { options: [] } }) }, buffer: [21, 11, 132, 0, 0, 1, 0, 4, 0, 0, 0, 1, 5, 108, 97, 107, 97, 115, 2, 110, 115, 10, 99, 108, 111, 117, 100, 102, 108, 97, 114, 101, 3, 99, 111, 109, 0, 0, 1, 0, 1, 192, 12, 0, 1, 0, 1, 0, 1, 81, 81, 0, 4, 173, 245, 59, 194, 192, 12, 0, 1, 0, 1, 0, 1, 81, 81, 0, 4, 108, 162, 193, 194, 192, 12, 0, 1, 0, 1, 0, 1, 81, 81, 0, 4, 172, 64, 33, 194, 192, 12, 0, 46, 0, 1, 0, 1, 81, 81, 0, 98, 0, 1, 13, 4, 0, 1, 81, 81, 103, 214, 3, 135, 103, 211, 68, 103, 134, 201, 10, 99, 108, 111, 117, 100, 102, 108, 97, 114, 101, 3, 99, 111, 109, 0, 231, 209, 175, 181, 95, 144, 208, 75, 225, 245, 53, 240, 218, 159, 149, 81, 131, 136, 210, 113, 98, 222, 141, 65, 158, 57, 127, 123, 116, 108, 163, 203, 105, 89, 42, 184, 139, 54, 214, 174, 144, 170, 50, 1, 95, 34, 63, 183, 155, 131, 167, 41, 9, 116, 14, 206, 146, 19, 224, 90, 39, 177, 226, 78, 0, 0, 41, 4, 208, 0, 0, 128, 0, 0, 0] } 1741988855:DEBUG:hickory_recursor::recursor_dns_handle:678:ns_pool_for_referral found nameservers for maxemann96.de.: NameServerConfigGroup { servers: [NameServerConfig { socket_addr: 108.162.192.140:53, protocol: Udp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: true, bind_addr: None }, NameServerConfig { socket_addr: 108.162.192.140:53, protocol: Tcp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: true, bind_addr: None }, NameServerConfig { socket_addr: 173.245.58.140:53, protocol: Udp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: true, bind_addr: None }, NameServerConfig { socket_addr: 173.245.58.140:53, protocol: Tcp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: true, bind_addr: None }, NameServerConfig { socket_addr: 172.64.32.140:53, protocol: Udp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: true, bind_addr: None }, NameServerConfig { socket_addr: 172.64.32.140:53, protocol: Tcp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: true, bind_addr: None }, NameServerConfig { socket_addr: [2a06:98c1:50::ac40:21c2]:53, protocol: Udp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: true, bind_addr: None }, NameServerConfig { socket_addr: [2a06:98c1:50::ac40:21c2]:53, protocol: Tcp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: true, bind_addr: None }, NameServerConfig { socket_addr: [2606:4700:58::adf5:3bc2]:53, protocol: Udp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: true, bind_addr: None }, NameServerConfig { socket_addr: [2606:4700:58::adf5:3bc2]:53, protocol: Tcp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: true, bind_addr: None }, NameServerConfig { socket_addr: [2803:f800:50::6ca2:c1c2]:53, protocol: Udp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: true, bind_addr: None }, NameServerConfig { socket_addr: [2803:f800:50::6ca2:c1c2]:53, protocol: Tcp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: true, bind_addr: None }, NameServerConfig { socket_addr: [2a06:98c1:50::ac40:208c]:53, protocol: Udp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: true, bind_addr: None }, NameServerConfig { socket_addr: [2a06:98c1:50::ac40:208c]:53, protocol: Tcp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: true, bind_addr: None }, NameServerConfig { socket_addr: [2803:f800:50::6ca2:c08c]:53, protocol: Udp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: true, bind_addr: None }, NameServerConfig { socket_addr: [2803:f800:50::6ca2:c08c]:53, protocol: Tcp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: true, bind_addr: None }, NameServerConfig { socket_addr: [2606:4700:50::adf5:3a8c]:53, protocol: Udp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: true, bind_addr: None }, NameServerConfig { socket_addr: [2606:4700:50::adf5:3a8c]:53, protocol: Tcp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: true, bind_addr: None }, NameServerConfig { socket_addr: 173.245.59.194:53, protocol: Udp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: true, bind_addr: None }, NameServerConfig { socket_addr: 173.245.59.194:53, protocol: Tcp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: true, bind_addr: None }, NameServerConfig { socket_addr: 108.162.193.194:53, protocol: Udp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: true, bind_addr: None }, NameServerConfig { socket_addr: 108.162.193.194:53, protocol: Tcp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: true, bind_addr: None }, NameServerConfig { socket_addr: 172.64.33.194:53, protocol: Udp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: true, bind_addr: None }, NameServerConfig { socket_addr: 172.64.33.194:53, protocol: Tcp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: true, bind_addr: None }] } 1741988855:INFO:hickory_recursor::recursor_pool:88:querying maxemann96.de. for maxemann96.de. IN DNSKEY 1741988855:DEBUG:hickory_proto::xfer::dns_handle:64:querying: maxemann96.de. DNSKEY 1741988855:DEBUG:hickory_proto::xfer::dns_exchange:186:io_stream is done, shutting down 1741988855:DEBUG:hickory_resolver::name_server::name_server_pool:208:sending request: [Query { name: Name("maxemann96.de."), query_type: DNSKEY, query_class: IN }] 1741988855:DEBUG:hickory_proto::xfer::dns_exchange:186:io_stream is done, shutting down 1741988855:DEBUG:hickory_resolver::name_server::name_server:101:reconnecting: NameServerConfig { socket_addr: [2606:4700:50::adf5:3a8c]:53, protocol: Udp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: true, bind_addr: None } 1741988855:DEBUG:hickory_proto::xfer:168:enqueueing message:QUERY:[Query { name: Name("maxemann96.de."), query_type: DNSKEY, query_class: IN }] 1741988855:DEBUG:hickory_proto::xfer::dns_exchange:186:io_stream is done, shutting down 1741988855:DEBUG:hickory_proto::udp::udp_client_stream:189:final message: ; header 39959:QUERY::NoError:QUERY:0/0/1 ; edns version: 0 dnssec_ok: true z_flags: 0 max_payload: 1232 opts: 0 ; query ;; maxemann96.de. IN DNSKEY 1741988855:DEBUG:hickory_proto::udp::udp_stream:283:created socket successfully 1741988855:DEBUG:hickory_resolver::name_server::name_server:150:name_server connection failure: io error: Network is unreachable (os error 101) config=NameServerConfig { socket_addr: [2606:4700:50::adf5:3a8c]:53, protocol: Udp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: true, bind_addr: None } 1741988855:DEBUG:hickory_resolver::name_server::name_server:101:reconnecting: NameServerConfig { socket_addr: 173.245.58.140:53, protocol: Udp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: true, bind_addr: None } 1741988855:DEBUG:hickory_proto::xfer:168:enqueueing message:QUERY:[Query { name: Name("maxemann96.de."), query_type: DNSKEY, query_class: IN }] 1741988855:DEBUG:hickory_proto::udp::udp_client_stream:189:final message: ; header 8224:QUERY::NoError:QUERY:0/0/1 ; edns version: 0 dnssec_ok: true z_flags: 0 max_payload: 1232 opts: 0 ; query ;; maxemann96.de. IN DNSKEY 1741988855:DEBUG:hickory_proto::udp::udp_stream:283:created socket successfully 1741988855:DEBUG:hickory_proto::udp::udp_client_stream:410:received message id: 8224 1741988855:DEBUG:hickory_proto::error:499:response: ; header 8224:RESPONSE:AA:NoError:QUERY:3/0/1 ; edns version: 0 dnssec_ok: true z_flags: 0 max_payload: 1232 opts: 0 ; query ;; maxemann96.de. IN DNSKEY ; answers 3 maxemann96.de. 3600 IN DNSKEY 257 3 13 mdsswUyr3DPW132mOi8V9xESWE8jTo0dxCjjnopKl+GqJxpVXckHAeF+KkxLbxILfDLUT0rAK9iUzy1L53eKGQ== maxemann96.de. 3600 IN DNSKEY 256 3 13 oJMRESz5E4gYzS/q6XDrvU1qMPYIjCWzJaOau8XNEZeqCYKD5ar0IRd8KqXXFJkqmVfRvMGPmM1x8fGAa2XhSA== maxemann96.de. 3600 IN RRSIG DNSKEY ECDSAP256SHA256 2 3600 1745835939 1740565539 2371 maxemann96.de. Le3bJmqQyGqQi1Iybmz2ynyUckVLafT6nvIVGq4ApmnG3U/BiYbSDRcwsdt7dKGgzynTzP3lXvF8SUlmZ2YbYw== ; nameservers 0 ; additionals 1 1741988855:INFO:hickory_recursor:91:response: 8224:RESPONSE:AA:NoError:QUERY:3/0/1 1741988855:DEBUG:hickory_proto::dnssec::dnssec_dns_handle:301:validating message_response: 0, with 3 trust_anchors 1741988855:DEBUG:hickory_proto::dnssec::dnssec_dns_handle:399:verifying: maxemann96.de. record_type: DNSKEY, rrsigs: 1 1741988855:DEBUG:hickory_proto::dnssec::dnssec_dns_handle:545:dnskey validation maxemann96.de., record_type: DNSKEY 1741988855:DEBUG:hickory_proto::xfer::dns_handle:64:querying: maxemann96.de. DS 1741988855:DEBUG:hickory_recursor::recursor_dns_handle:421:returning cached pool for de. 1741988855:DEBUG:hickory_recursor::recursor_dns_handle:212:found zone de. for maxemann96.de. IN DS 1741988855:INFO:hickory_recursor::recursor_pool:88:querying de. for maxemann96.de. IN DS 1741988855:DEBUG:hickory_proto::xfer::dns_handle:64:querying: maxemann96.de. DS 1741988855:DEBUG:hickory_resolver::name_server::name_server_pool:208:sending request: [Query { name: Name("maxemann96.de."), query_type: DS, query_class: IN }] 1741988855:DEBUG:hickory_resolver::name_server::name_server:101:reconnecting: NameServerConfig { socket_addr: 194.0.0.53:53, protocol: Udp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: true, bind_addr: None } 1741988855:DEBUG:hickory_proto::xfer:168:enqueueing message:QUERY:[Query { name: Name("maxemann96.de."), query_type: DS, query_class: IN }] 1741988855:DEBUG:hickory_proto::udp::udp_client_stream:189:final message: ; header 23534:QUERY::NoError:QUERY:0/0/1 ; edns version: 0 dnssec_ok: true z_flags: 0 max_payload: 1232 opts: 0 ; query ;; maxemann96.de. IN DS 1741988855:DEBUG:hickory_proto::udp::udp_stream:283:created socket successfully 1741988855:DEBUG:hickory_proto::udp::udp_client_stream:410:received message id: 23534 1741988855:DEBUG:hickory_proto::error:499:response: ; header 23534:RESPONSE:AA:NoError:QUERY:0/6/1 ; edns version: 0 dnssec_ok: true z_flags: 0 max_payload: 1452 opts: 0 ; query ;; maxemann96.de. IN DS ; answers 0 ; nameservers 6 tjlb7qbojvmlf1s6gdriru7vsms1lg16.de. 7200 IN NSEC3 1 1 15 CA12B74ADB90591A tjlcsjat4ljtvo0tjncrrdf6kf6onefb NS SOA RRSIG DNSKEY NSEC3PARAM tjlb7qbojvmlf1s6gdriru7vsms1lg16.de. 7200 IN RRSIG NSEC3 RSASHA256 2 7200 1742875922 1741660922 4260 de. g3dejoZYushtr3yq7WpbIxE9TZ//w9R8Sk2VUKaQnqBfD751qefguQA1ePeT+hINSnxn2xTxVoyuuLab3BXeqhlMS974S/XJAmOoFFPnerTrVj2DDFnOl50vzTpg+eUma8BLsx1m9HdbhOta/aMuQwo+3arFXnnPXZQdr2Z+IcQ= de. 7200 IN SOA f.nic.de. dns-operations.denic.de. 1741988725 7200 7200 3600000 7200 de. 7200 IN RRSIG SOA RSASHA256 1 86400 1743198322 1741983322 4260 de. SgtHW7C6uy7YoElVAGrDvvZqLCky/14ykIRorsKWwM7TJ/pPwlik6jqVvlvNN3rQ2z7mzK2DBcrkXDM7WA1u6yU2yARIGsBzMCGl/xT5wMvoRdTBOzs1/CWDKl3VqRJBeoG6y/DfldzkE0GyNXV+k8EmyJPIQrwtuFMQ1Hriw20= 4t0f1kmjgjv70hds8uk2pqvhm99cmdsj.de. 7200 IN NSEC3 1 1 15 CA12B74ADB90591A 4t0hg0qp0r9bjphla2do1277mc019msp A RRSIG 4t0f1kmjgjv70hds8uk2pqvhm99cmdsj.de. 7200 IN RRSIG NSEC3 RSASHA256 2 7200 1743077572 1741862572 4260 de. V7aIKs1/fcbQyYHPEdPmy8B6vv51cVVQVOMZCXJeEManBHmDMRsSVHXYmUjA28LONYBYuBvOxdf2mJK9ypbGrH1tElv7M0y8lfBZjeZtkZZ789yjioNTQuGU7VtTWAT1QWUEKB3l6TPrnEkSplgPmDCxIwLw75ERvgSXOaFug8I= ; additionals 1 1741988855:WARN:hickory_recursor::recursor_dns_handle:406:lookup error: proto error: no records found for Query { name: Name("maxemann96.de."), query_type: DS, query_class: IN } 1741988855:DEBUG:hickory_proto::dnssec::dnssec_dns_handle:167:translating NoRecordsFound to DnsResponse for maxemann96.de. IN DS 1741988855:DEBUG:hickory_proto::dnssec::dnssec_dns_handle:301:validating message_response: 0, with 3 trust_anchors 1741988855:DEBUG:hickory_proto::dnssec::dnssec_dns_handle:1365:nsec3 proof for maxemann96.de., returning Bogus: no valid servicing wildcard proof 1741988855:DEBUG:hickory_proto::dnssec::dnssec_dns_handle:281:returning Nsec error for maxemann96.de. Bogus 1741988855:DEBUG:hickory_proto::xfer::dns_handle:64:querying: de. DS 1741988855:DEBUG:hickory_proto::dnssec::dnssec_dns_handle:301:validating message_response: 0, with 3 trust_anchors 1741988855:DEBUG:hickory_proto::dnssec::dnssec_dns_handle:399:verifying: de. record_type: DS, rrsigs: 1 1741988855:DEBUG:hickory_proto::xfer::dns_handle:64:querying: . DNSKEY 1741988855:DEBUG:hickory_recursor::recursor_dns_handle:433:using roots for . nameservers 1741988855:INFO:hickory_recursor::recursor_pool:88:querying . for . IN NS 1741988855:DEBUG:hickory_proto::xfer::dns_handle:64:querying: . NS 1741988855:DEBUG:hickory_resolver::name_server::name_server_pool:208:sending request: [Query { name: Name("."), query_type: NS, query_class: IN }] 1741988855:DEBUG:hickory_resolver::name_server::name_server:101:reconnecting: NameServerConfig { socket_addr: 202.12.27.33:53, protocol: Udp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: false, bind_addr: None } 1741988855:DEBUG:hickory_proto::xfer:168:enqueueing message:QUERY:[Query { name: Name("."), query_type: NS, query_class: IN }] 1741988855:DEBUG:hickory_proto::udp::udp_client_stream:189:final message: ; header 59437:QUERY::NoError:QUERY:0/0/1 ; edns version: 0 dnssec_ok: true z_flags: 0 max_payload: 1232 opts: 0 ; query ;; . IN NS 1741988855:DEBUG:hickory_proto::udp::udp_stream:283:created socket successfully 1741988855:DEBUG:hickory_proto::udp::udp_client_stream:410:received message id: 59437 1741988855:DEBUG:hickory_proto::error:499:response: ; header 59437:RESPONSE:AA:NoError:QUERY:14/0/27 ; edns version: 0 dnssec_ok: true z_flags: 0 max_payload: 1232 opts: 0 ; query ;; . IN NS ; answers 14 . 518400 IN NS e.root-servers.net. . 518400 IN NS g.root-servers.net. . 518400 IN NS i.root-servers.net. . 518400 IN NS c.root-servers.net. . 518400 IN NS b.root-servers.net. . 518400 IN NS a.root-servers.net. . 518400 IN NS j.root-servers.net. . 518400 IN NS m.root-servers.net. . 518400 IN NS d.root-servers.net. . 518400 IN NS k.root-servers.net. . 518400 IN NS h.root-servers.net. . 518400 IN NS f.root-servers.net. . 518400 IN NS l.root-servers.net. . 518400 IN RRSIG NS RSASHA256 0 518400 1743094800 1741968000 26470 . RNBi4rY553YVDa8DjWj786NTjL+qEUUAq86K4PMhoU/oqH0R16wJpCXNosD1nR7Zj65Skp0pSqS/RNSx7yfGjSvEaefPSrYcMjeo0Ue/gtET1a1ZIZLH7wUEV/GUHPJ6NzsAgbS0AWyjTZfbcht23EMYIbyu3/cRNoRhQoeyT2idHQmodQgAWsVVCJcuipoR1QFrhM0KQE0dTWq2joQOgyYbq7CVYuC1+InuzZMbdPCFIo2z5d5SnLqAJSb25kwcV04V8u0OCRqGheGu0PebKspR1AqJhCrexsX6682p6WSj1Q3DlFE6F8V+amRxpHciD9/paTDNMvwg0YgUmRPQkw== ; nameservers 0 ; additionals 27 m.root-servers.net. 518400 IN A 202.12.27.33 l.root-servers.net. 518400 IN A 199.7.83.42 k.root-servers.net. 518400 IN A 193.0.14.129 j.root-servers.net. 518400 IN A 192.58.128.30 i.root-servers.net. 518400 IN A 192.36.148.17 h.root-servers.net. 518400 IN A 198.97.190.53 g.root-servers.net. 518400 IN A 192.112.36.4 f.root-servers.net. 518400 IN A 192.5.5.241 e.root-servers.net. 518400 IN A 192.203.230.10 d.root-servers.net. 518400 IN A 199.7.91.13 c.root-servers.net. 518400 IN A 192.33.4.12 b.root-servers.net. 518400 IN A 170.247.170.2 a.root-servers.net. 518400 IN A 198.41.0.4 m.root-servers.net. 518400 IN AAAA 2001:dc3::35 l.root-servers.net. 518400 IN AAAA 2001:500:9f::42 k.root-servers.net. 518400 IN AAAA 2001:7fd::1 j.root-servers.net. 518400 IN AAAA 2001:503:c27::2:30 i.root-servers.net. 518400 IN AAAA 2001:7fe::53 h.root-servers.net. 518400 IN AAAA 2001:500:1::53 g.root-servers.net. 518400 IN AAAA 2001:500:12::d0d f.root-servers.net. 518400 IN AAAA 2001:500:2f::f e.root-servers.net. 518400 IN AAAA 2001:500:a8::e d.root-servers.net. 518400 IN AAAA 2001:500:2d::d c.root-servers.net. 518400 IN AAAA 2001:500:2::c b.root-servers.net. 518400 IN AAAA 2801:1b8:10::b a.root-servers.net. 518400 IN AAAA 2001:503:ba3e::2:30 1741988855:INFO:hickory_recursor:91:response: 59437:RESPONSE:AA:NoError:QUERY:14/0/27 1741988855:DEBUG:hickory_recursor::recursor_dns_handle:485:response is not NS: DNSSEC(RRSIG(RRSIG(SIG { type_covered: NS, algorithm: RSASHA256, num_labels: 0, original_ttl: 518400, sig_expiration: 1743094800, sig_inception: 1741968000, key_tag: 26470, signer_name: Name("."), sig: [68, 208, 98, 226, 182, 57, 231, 118, 21, 13, 175, 3, 141, 104, 251, 243, 163, 83, 140, 191, 170, 17, 69, 0, 171, 206, 138, 224, 243, 33, 161, 79, 232, 168, 125, 17, 215, 172, 9, 164, 37, 205, 162, 192, 245, 157, 30, 217, 143, 174, 82, 146, 157, 41, 74, 164, 191, 68, 212, 177, 239, 39, 198, 141, 43, 196, 105, 231, 207, 74, 182, 28, 50, 55, 168, 209, 71, 191, 130, 209, 19, 213, 173, 89, 33, 146, 199, 239, 5, 4, 87, 241, 148, 28, 242, 122, 55, 59, 0, 129, 180, 180, 1, 108, 163, 77, 151, 219, 114, 27, 118, 220, 67, 24, 33, 188, 174, 223, 247, 17, 54, 132, 97, 66, 135, 178, 79, 104, 157, 29, 9, 168, 117, 8, 0, 90, 197, 85, 8, 151, 46, 138, 154, 17, 213, 1, 107, 132, 205, 10, 64, 77, 29, 77, 106, 182, 142, 132, 14, 131, 38, 27, 171, 176, 149, 98, 224, 181, 248, 137, 238, 205, 147, 27, 116, 240, 133, 34, 141, 179, 229, 222, 82, 156, 186, 128, 37, 38, 246, 230, 76, 28, 87, 78, 21, 242, 237, 14, 9, 26, 134, 133, 225, 174, 208, 247, 155, 42, 202, 81, 212, 10, 137, 132, 42, 222, 198, 197, 250, 235, 205, 169, 233, 100, 163, 213, 13, 195, 148, 81, 58, 23, 197, 126, 106, 100, 113, 164, 119, 34, 15, 223, 233, 105, 48, 205, 50, 252, 32, 209, 136, 20, 153, 19, 208, 147] }))); skipping 1741988855:DEBUG:hickory_recursor::recursor_dns_handle:562:found nameservers for . 1741988855:DEBUG:hickory_recursor::recursor_dns_handle:212:found zone . for . IN DNSKEY 1741988855:INFO:hickory_recursor::recursor_pool:88:querying . for . IN DNSKEY 1741988855:DEBUG:hickory_proto::xfer::dns_handle:64:querying: . DNSKEY 1741988855:DEBUG:hickory_resolver::name_server::name_server_pool:208:sending request: [Query { name: Name("."), query_type: DNSKEY, query_class: IN }] 1741988855:DEBUG:hickory_resolver::name_server::name_server:101:reconnecting: NameServerConfig { socket_addr: 192.112.36.4:53, protocol: Udp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: true, bind_addr: None } 1741988855:DEBUG:hickory_proto::xfer:168:enqueueing message:QUERY:[Query { name: Name("."), query_type: DNSKEY, query_class: IN }] 1741988855:DEBUG:hickory_proto::udp::udp_client_stream:189:final message: ; header 5909:QUERY::NoError:QUERY:0/0/1 ; edns version: 0 dnssec_ok: true z_flags: 0 max_payload: 1232 opts: 0 ; query ;; . IN DNSKEY 1741988855:DEBUG:hickory_proto::udp::udp_stream:283:created socket successfully 1741988855:DEBUG:hickory_proto::udp::udp_client_stream:410:received message id: 5909 1741988855:DEBUG:hickory_proto::error:499:response: ; header 5909:RESPONSE:AA:NoError:QUERY:4/0/1 ; edns version: 0 dnssec_ok: true z_flags: 0 max_payload: 1232 opts: 0 ; query ;; . IN DNSKEY ; answers 4 . 172800 IN DNSKEY 256 3 8 AwEAAZ5A7jOztf62cGqhPhutjnyl7KBjIsjbyTb8il+FsgbMUbO2NQHaSbatHdlOlqANncDwSIKZ9ryqd1+Dy1PoGzeTUv95vOJnVVJHlJu7xdavnUmPs+Mh2NV7hDlTTwPn5uXgFxAaxoO9M/YIAC92GryCLjoJEg9JzeevkktEM/sFpmRv4I5jQtlLyRqVbnCzcWpi04XaVLxRKvURkd/Mdb/2RQS3MYvrkEBXuqtnAVBCf6Fx4sgBYOfYvbUuG2diLnGJW/MXvFpctZgQ76+3FwMqAZfR9k5bohL7AF3+jqz4MUiootYoh5koyt7VEnUULxxy6U5PINTGgOC26f3zZuk= . 172800 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= . 172800 IN DNSKEY 257 3 8 AwEAAa96jeuknZlaeSrvyAJj6ZHv28hhOKkx3rLGXVaC6rXTsDc449/cidltpkyGwCJNnOAlFNKF2jBosZBU5eeHspaQWOmOElZsjICMQMC3aeHbGiShvZsx4wMYSjH8e7Vrhbu6irwCzVBApESjbUdpWWmEnhathWu1jo+siFUiRAAxm9qyJNg/wOZqqzL/dL/q8PkcRU5oUKEpUge71M3ej2/7CPqpdVwuMoTvoB+ZOT4YeGyxMvHmbrxlFzGOHOijtzN+u1TQNatX2XBuzZNQ1K+s2CXkPIZo7s6JgZyvaBevYtxPvYLw4z9mR7K2vaF18UYH9Z9GNUUeayffKC73PYc= . 172800 IN RRSIG DNSKEY RSASHA256 0 172800 1743552000 1741737600 20326 . joWEhr7Z7AY96Kpp+ioymNlyKtdPDPkzEvGO1tLYsoR0huN6i7rOVBRYQd0HHWdA4RaXiXf7ME5U1qEiuH3xFG3H7BRBwddweL4ubSNVeVo5sk+BSv74uTSpnPcCgUgCxppaY4c9Q6lXOASVGNiyLPG4bMUSbBONXBKRT5vnJss1z30BF47JaFM/OdT+0Zu8oVr8f8KX1hjcm8pZfpoIAnHg2BLsbVCS5iBfmtahqttuyEnJdw0R2ExBXpYNrK6ZR5sSiF5S4lMf66ix4bBl2eecQFWNAsD4H3yksS95JEgXkq4JJduKbn7t7B1aFennfSjC9lT3WZ7O6xuPXb2QLw== ; nameservers 0 ; additionals 1 1741988855:INFO:hickory_recursor:91:response: 5909:RESPONSE:AA:NoError:QUERY:4/0/1 1741988855:DEBUG:hickory_proto::dnssec::dnssec_dns_handle:301:validating message_response: 0, with 3 trust_anchors 1741988855:DEBUG:hickory_proto::dnssec::dnssec_dns_handle:399:verifying: . record_type: DNSKEY, rrsigs: 1 1741988855:DEBUG:hickory_proto::dnssec::dnssec_dns_handle:545:dnskey validation ., record_type: DNSKEY 1741988855:DEBUG:hickory_proto::dnssec::dnssec_dns_handle:681:validated dnskey with trust_anchor: ., 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= 1741988855:DEBUG:hickory_proto::dnssec::dnssec_dns_handle:570:ignoring DS lookup for root zone or registered keys 1741988855:DEBUG:hickory_proto::dnssec::dnssec_dns_handle:1114:validated (., DNSKEY) with (., 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=) 1741988855:DEBUG:hickory_proto::dnssec::dnssec_dns_handle:409:verified: . record_type: DNSKEY 1741988855:DEBUG:hickory_proto::dnssec::dnssec_dns_handle:1114:validated (de., DS) with (., 256 3 8 AwEAAZ5A7jOztf62cGqhPhutjnyl7KBjIsjbyTb8il+FsgbMUbO2NQHaSbatHdlOlqANncDwSIKZ9ryqd1+Dy1PoGzeTUv95vOJnVVJHlJu7xdavnUmPs+Mh2NV7hDlTTwPn5uXgFxAaxoO9M/YIAC92GryCLjoJEg9JzeevkktEM/sFpmRv4I5jQtlLyRqVbnCzcWpi04XaVLxRKvURkd/Mdb/2RQS3MYvrkEBXuqtnAVBCf6Fx4sgBYOfYvbUuG2diLnGJW/MXvFpctZgQ76+3FwMqAZfR9k5bohL7AF3+jqz4MUiootYoh5koyt7VEnUULxxy6U5PINTGgOC26f3zZuk=) 1741988855:DEBUG:hickory_proto::dnssec::dnssec_dns_handle:409:verified: de. record_type: DS 1741988855:DEBUG:hickory_proto::dnssec::dnssec_dns_handle:417:failed to verify: maxemann96.de. record_type: DNSKEY: ds record should exist: maxemann96.de. 1741988855:DEBUG:hickory_proto::dnssec::dnssec_dns_handle:417:failed to verify: maxemann96.de. record_type: MX: rrsigs were not able to be verified: maxemann96.de., type: MX 1741988855:INFO:hickory_recursor:91:response: 0:QUERY::NoError:QUERY:0/0/0 1741988855:DEBUG:hickory_server::server::response_handler:107:response: 58593 response_code: Server Failure 1741988855:INFO:hickory_server::server::server_future:865:request:58593 src:udp://127.0.0.1#53450 QUERY qflags:RD,AD response:ServFail rr:0/0/1 rflags:RD,RA 1741988855:INFO:hickory_server::server::server_future:880:query:maxemann96.de.:MX:IN ``` </details> The line `nsec3 proof for maxemann96.de., returning Bogus: no valid servicing wildcard proof` looks suspicious. Note that we already have recursor conformance tests covering insecure zones that nevertheless include DNSKEY record, see `resolver::dnssec::scenarios::insecure::no_ds_record_nsec3` etc. I tried querying `DS maxemann96.de`, and Hickory DNS returns SERVFAIL for that as well. Here's what Google Public DNS returns, FWIW. ``` ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38665 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;maxemann96.de. IN DS ;; AUTHORITY SECTION: de. 1800 IN SOA f.nic.de. dns-operations.denic.de. 1741990494 7200 7200 3600000 7200 de. 1800 IN RRSIG SOA 8 1 86400 20250328221451 20250314204451 4260 de. hhntj4t33aLEfFknlY1BJEPsz8qGhK2m+3VicZRtJSV6Cye0vw1i6wJN 2089jwiM0Eb1ImUSpZ6Zl+8El392HNqHOa3h+600QtYSUh1xYn9vM6fQ 52Oo9xa+hWsniwGV4PYX4iOGlLmhe0U+ckCnlcXLe7/+yqYr9TYMpTF6 oIo= tjlb7qbojvmlf1s6gdriru7vsms1lg16.de. 7200 IN NSEC3 1 1 15 CA12B74ADB90591A TJLCSJAT4LJTVO0TJNCRRDF6KF6ONEFB NS SOA RRSIG DNSKEY NSEC3PARAM tjlb7qbojvmlf1s6gdriru7vsms1lg16.de. 7200 IN RRSIG NSEC3 8 2 7200 20250325041202 20250311024202 4260 de. g3dejoZYushtr3yq7WpbIxE9TZ//w9R8Sk2VUKaQnqBfD751qefguQA1 ePeT+hINSnxn2xTxVoyuuLab3BXeqhlMS974S/XJAmOoFFPnerTrVj2D DFnOl50vzTpg+eUma8BLsx1m9HdbhOta/aMuQwo+3arFXnnPXZQdr2Z+ IcQ= 4t0f1kmjgjv70hds8uk2pqvhm99cmdsj.de. 7200 IN NSEC3 1 1 15 CA12B74ADB90591A 4T0HG0QP0R9BJPHLA2DO1277MC019MSP A RRSIG 4t0f1kmjgjv70hds8uk2pqvhm99cmdsj.de. 7200 IN RRSIG NSEC3 8 2 7200 20250327121252 20250313104252 4260 de. V7aIKs1/fcbQyYHPEdPmy8B6vv51cVVQVOMZCXJeEManBHmDMRsSVHXY mUjA28LONYBYuBvOxdf2mJK9ypbGrH1tElv7M0y8lfBZjeZtkZZ789yj ioNTQuGU7VtTWAT1QWUEKB3l6TPrnEkSplgPmDCxIwLw75ERvgSXOaFu g8I= ```

kerem commented 2026-03-16 01:33:01 +03:00

Author

Owner

Copy link

@divergentdave commented on GitHub (Mar 14, 2025):

Okay, looking at case 3 in validate_nodata_response(), I think there are two things wrong here. First, we do find_covering_record(...).iter().all(...) when checking if we should return Insecure on an opt-out insecure delegation, but that would evaluate to true when we don't find a covering record, which is too permissive. Secondly, the predicate in the .all() combinator is checking if the covering NSEC3 record includes a DS RRset and is an opt-out NSEC3 record. The first condition is irrelevant, because we're looking at a covering NSEC3 record, not a matching NSEC3 record. The existence of the covering record means there's no authoritative data for the query, and the opt-out flag means there could be an insecure delegation as an exception.

<!-- gh-comment-id:2725969325 --> @divergentdave commented on GitHub (Mar 14, 2025): Okay, looking at case 3 in `validate_nodata_response()`, I think there are two things wrong here. First, we do `find_covering_record(...).iter().all(...)` when checking if we should return `Insecure` on an opt-out insecure delegation, but that would evaluate to true when we don't find a covering record, which is too permissive. Secondly, the predicate in the `.all()` combinator is checking if the covering NSEC3 record includes a DS RRset and is an opt-out NSEC3 record. The first condition is irrelevant, because we're looking at a covering NSEC3 record, not a matching NSEC3 record. The existence of the covering record means there's no authoritative data for the query, and the opt-out flag means there could be an insecure delegation as an exception.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

david/conformance-dnssec-negative-tests

prepare-0.26.1

release/0.26

query-api

opt-types

cname-nsec

no-cname-recursion

conformance-min-ttl

dname-base

drop-message-request

no-error-queries

cpu-sig0-rm-message-sig_dev

cpu-tsig-test-update_dev

windows-config

dnssec-net

release/0.25

opp-enc-persist

integration-test

cpu-tidying-recursor-opts_dev

happy-eyeballs

david/authoritative-zone-storage-trait

dnssec-ad

no-authority

release/0.24

pvdrz/remove-top-file

pvdrz/h3-handshake-timeout

pvdrz/quic-handshake-timeout

nxdomain-for-recursor

ja-test-merque-queue

ja-fix-ci-again

sz-add-ede-tests

sz-test-tc-bit-with-large-response

sz-fix-tokio-dependency

gh-2275-test-rrsig-signature

refactor-sign-zone-file

fix-1.79-cleanliness

update-nightly-hash

release/0.23

gh-pages

use-just-for-server-toml

release/0.22

revert-1874-cpu-zone-parse-default-class

disable-bind-compatibility-tests

disable-test_tls_client_stream_ipv4

update-native-tls-0.2.11

recursor-tests

fix-clippy-self

release/0.20

saethlin-fix-rdata-zero

release/0.19

flat_name

drop_unused_futures

release/0.18

release-r0.12-cs0.17

release/r0.12-cs0.17

trust-dns-book

r0.10

test-connections-not-dropped

fix_exec_status_on_rs_files

release-0.9

add-mutex-to-integration-tests

0.8_release

bfry/dns-crypt

v0.26.0

v0.26.0-beta.4

v0.26.0-beta.3

v0.26.0-beta.2

v0.26.0-beta.1

v0.26.0-alpha.1

v0.25.2

v0.25.1

v0.25.0

v0.24.4

v0.24.3

v0.25.0-alpha.5

v0.24.2

v0.25.0-alpha.4

v0.25.0-alpha.3

v0.25.0-alpha.2

v0.25.0-alpha.1

v0.24.1

v0.23.2

v0.24.0

v0.23.1

v0.23.0

v0.23.0-alpha.5

v0.23.0-alpha.4

v0.23.0-alpha.3

v0.22.1

v0.23.0-alpha.2

v0.23.0-alpha.1

v0.22.0

v0.21.2

v0.21.1

v0.21.0

v0.21.0-alpha.5

v0.20.4

v0.21.0-alpha.4

v0.21.0-alpha.3

v0.21.0-alpha.2

v0.21.0-alpha.1

v0.20.3

v0.20.2

v0.20.1

v0.19.7

v0.20.0

0.19.6

v0.20.0-alpha.3

v0.20.0-alpha.2

v0.20.0-alpha.1

0.19.5

0.19.4

0.19.3

0.19.0

0.18.1

0.18

0.18.0.alpha.2

r0.12_cs0.17

r0.11.1

cs0.16.1

r0.11

cs0.16

r0.10.1

r0.10.0

cs0.15.0

r0.9.1

v0.14.0

r0.9.0

r0.8.1

r0.8.0

v0.13.0

r0.7.0

c0.12.0

r0.6.0

r0.5.0

resolver.0.4.0

0.11.0

0.10.5

0.10.4

0.10.3

0.10.2

0.10.1

0.10.0

0.9.3

0.9.2

0.9.1

0.9.0

0.8.1

0.8.0

0.7.3

0.7.2

0.7.1

0.7.0

0.6.0

0.5.3

0.5.1

0.5.0

0.4.0

0.3.1

0.3.0

0.2.1

0.2.0

0.1.0

Labels

Clear labels   

blocked

  

breaking-change

  

bug

  

bug:critical

  

bug:tests

  

cleanup

  

compliance

  

compliance

  

compliance

  

crate:all

  

crate:client

  

crate:native-tls

  

crate:proto

  

crate:recursor

  

crate:resolver

  

crate:resolver

  

crate:rustls

  

crate:server

  

crate:util

  

dependencies

  

docs

  

duplicate

  

easy

  

easy

  

enhance

  

enhance

  

enhance

  

feature:dns-over-https

  

feature:dns-over-quic

  

feature:dns-over-tls

  

feature:dnsssec

  

feature:global_lb

  

feature:mdns

  

feature:tsig

  

features:edns

  

has workaround

  

ops

  

perf

  

platform:WASM

  

platform:android

  

platform:fuchsia

  

platform:linux

  

platform:macos

  

platform:windows

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

test

  

tools

  

tools

  

trust

  

unclear

  

wontfix

No labels

blocked

breaking-change

bug

bug:critical

bug:tests

cleanup

compliance

compliance

compliance

crate:all

crate:client

crate:native-tls

crate:proto

crate:recursor

crate:resolver

crate:resolver

crate:rustls

crate:server

crate:util

dependencies

docs

duplicate

easy

easy

enhance

enhance

enhance

feature:dns-over-https

feature:dns-over-quic

feature:dns-over-tls

feature:dnsssec

feature:global_lb

feature:mdns

feature:tsig

features:edns

has workaround

ops

perf

platform:WASM

platform:android

platform:fuchsia

platform:linux

platform:macos

platform:windows

pull-request

question

test

tools

tools

trust

unclear

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/hickory-dns#1073

No description provided.