DNSSEC does not only sign what exists; it must also prove what does not. When a signed zone delegates a subdomain without a DS record - a legal, ordinary arrangement - the parent has to answer DS queries with a signed NSEC or NSEC3 record proving the DS is absent. One provider hosting dnsdoh.art earlier this year served the delegation without that proof, and Google, Cloudflare and Quad9 all refused the subtree: SERVFAIL with extended error 22, No Reachable Authority.
What the runbook covers
- The diagnosis: reading Extended DNS Errors (RFC 8914), and the one dig query against the provider's own nameserver that isolates responsibility.
- Six providers compared: the same delegation answered by bunny.net, Route 53, IBM NS1, Gcore, deSEC and Google Cloud DNS - one genuine bug and three valid dialects of authenticated denial: white-lie NSEC with a minimal bitmap, the same with an inflated bitmap, and a real precomputed NSEC3 chain - the last one provable by hashing the names yourself.
- The report that worked: a reproduction command, the RFC 4035 section number, resolver-side impact, and a cross-provider comparison. The provider's DNS team confirmed a fix within a day and deployed it platform-wide.
- Verified in July: the same query against the same nameserver now returns a correct minimal NSEC - the before and after are both in the article.
- A five-minute audit to run against any DNS provider before trusting it with a signed zone that has delegations.
The full runbook: The Missing NSEC: When a Signed Zone Loses Its Delegation.