[knot-dns-users] mod-synth-record + DNSSEC = SERVFAIL

Hi, I use mod-synth-record to provide some reverse records for a LAN. mod-synth-record: - id: tregon-grifon type: forward prefix: ip6- ttl: 400 network: 2a00:5884:8316::/48 mod-synth-record: - id: tregon-grifon-reverse type: reverse prefix: ip6- origin: tregon-grifon.swordarmor.fr ttl: 400 network: 2a00:5884:8316::/48 They are both very simple: eddy ~ # cat /var/lib/knot/tregon-grifon.swordarmor.fr.zone.nodnssec @ 864000 IN SOA tregon-grifon.swordarmor.fr. hostmaster.swordarmor.fr. ( 2 3600 900 1209600 43200 ) 864000 IN NS tregon-grifon.swordarmor.fr. IN AAAA 2a00:5884:8316::1 A 89.234.186.16 eddy ~ # cat /var/lib/knot/6.1.3.8.4.8.8.5.0.0.a.2.ip6.arpa.zone.nodnssec @ 864000 IN SOA tregon-grifon.swordarmor.fr. hostmaster.swordarmor.fr. ( 2 3600 900 1209600 43200 ) 864000 IN NS tregon-grifon.swordarmor.fr. 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR tregon-grifon.swordarmor.fr. 6.2.4.c.f.6.5.5.d.7.4.d.0.4.d.f.3.5.6.2 IN PTR pika-tregon.swordarmor.fr. tregon-grifon.swordarmor.fr. is signed with DNSSEC, but I have a RRSIG only for the records in the pasted file. alarig@pikachu ~ % dig -t RRSIG tregon-grifon.swordarmor.fr. ; <<>> DiG 9.10.4-P3 <<>> -t RRSIG tregon-grifon.swordarmor.fr. ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53081 ;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;tregon-grifon.swordarmor.fr. IN RRSIG ;; ANSWER SECTION: tregon-grifon.swordarmor.fr. 3600 IN RRSIG A 13 3 3600 20161208210625 20161124210625 28440 tregon-grifon.swordarmor.fr. YlT/vCMLDyGHwKLoMOdQqENwWTyhphrbBatKhhtvCteTubwBp9FCrf9b /jc0cRM07a321de7kw3cYPD3lfbPYA== tregon-grifon.swordarmor.fr. 864000 IN RRSIG NS 13 3 864000 20161208210625 20161124210625 28440 tregon-grifon.swordarmor.fr. l6HiWFaqz3Hys7aknEHEG6woKJ9xdYqopxNUTOYmMk94733jMnDiH5bx fDKGPjgyVCkbQWfFsJCr/udwnelSaQ== tregon-grifon.swordarmor.fr. 864000 IN RRSIG SOA 13 3 864000 20161208210625 20161124210625 28440 tregon-grifon.swordarmor.fr. OUWibAYe8oyRBWgGyPAxG0etUcGQe1ZEZ+1ywZIi1xQvhWMQy/0B+HNH RyQYYdJ9eXqXPP3uQRyXPTtsa+9KKQ== tregon-grifon.swordarmor.fr. 3600 IN RRSIG AAAA 13 3 3600 20161208210625 20161124210625 28440 tregon-grifon.swordarmor.fr. NIEEeURn0/RH9IqWxGM9W74Gf8UqDh4Bqap0NlZ4XQ+95FpfylAQKxo0 KZUNCDCXCFQ4Rpg/dJH4EhpWw8Pxtw== tregon-grifon.swordarmor.fr. 43200 IN RRSIG NSEC 13 3 43200 20161208210625 20161124210625 28440 tregon-grifon.swordarmor.fr. 6T2+GjrRU8qU/zGNmY8R9bmkNUFGPJuJQP2qkhakV0GeiyseEWA5yPDE /YIELH04KKAE3yrudo8S6xcaQ6DveQ== tregon-grifon.swordarmor.fr. 864000 IN RRSIG DNSKEY 13 3 864000 20161208210625 20161124210625 57104 tregon-grifon.swordarmor.fr. F/jepDBqQriHFUSN8mnkiNZ6l3vP5K8ob44yuHkHBupimIo4S6hvuZXD F7AnbF5GtVsZPDdjA4qumkv1HaiTFQ== ;; Query time: 160 msec ;; SERVER: 2a00:5884:8218::1#53(2a00:5884:8218::1) ;; WHEN: Mon Nov 28 11:02:27 CET 2016 ;; MSG SIZE rcvd: 794 alarig@pikachu ~ % dig -t RRSIG ip6-2a00-5884-8316-2653-fd40-d47d-556f-c427.tregon-grifon.swordarmor.fr. ; <<>> DiG 9.10.4-P3 <<>> -t RRSIG ip6-2a00-5884-8316-2653-fd40-d47d-556f-c427.tregon-grifon.swordarmor.fr. ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 27161 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;ip6-2a00-5884-8316-2653-fd40-d47d-556f-c427.tregon-grifon.swordarmor.fr. IN RRSIG ;; Query time: 457 msec ;; SERVER: 2a00:5884:8218::1#53(2a00:5884:8218::1) ;; WHEN: Mon Nov 28 11:02:33 CET 2016 ;; MSG SIZE rcvd: 100 So, I get a SERVFAIL when I try to resolve the AAAA. alarig@pikachu ~ % dig -t AAAA ip6-2a00-5884-8316-2653-fd40-d47d-556f-c427.tregon-grifon.swordarmor.fr. ; <<>> DiG 9.10.4-P3 <<>> -t AAAA ip6-2a00-5884-8316-2653-fd40-d47d-556f-c427.tregon-grifon.swordarmor.fr. ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 38279 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;ip6-2a00-5884-8316-2653-fd40-d47d-556f-c427.tregon-grifon.swordarmor.fr. IN AAAA ;; Query time: 2701 msec ;; SERVER: 2a00:5884:8218::1#53(2a00:5884:8218::1) ;; WHEN: Mon Nov 28 11:02:47 CET 2016 ;; MSG SIZE rcvd: 100 But it works perfectly if I use a resolver that does not verify DNSSEC alarig@pikachu ~ % dig -t AAAA ip6-2a00-5884-8316-2653-fd40-d47d-556f-c427.tregon-grifon.swordarmor.fr. @ns0.fdn.fr ; <<>> DiG 9.10.4-P3 <<>> -t AAAA ip6-2a00-5884-8316-2653-fd40-d47d-556f-c427.tregon-grifon.swordarmor.fr. @ns0.fdn.fr ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55433 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;ip6-2a00-5884-8316-2653-fd40-d47d-556f-c427.tregon-grifon.swordarmor.fr. IN AAAA ;; ANSWER SECTION: ip6-2a00-5884-8316-2653-fd40-d47d-556f-c427.tregon-grifon.swordarmor.fr. 400 IN AAAA 2a00:5884:8316:2653:fd40:d47d:556f:c427 ;; AUTHORITY SECTION: tregon-grifon.swordarmor.fr. 10800 IN NS tregon-grifon.swordarmor.fr. ;; ADDITIONAL SECTION: tregon-grifon.swordarmor.fr. 10800 IN A 89.234.186.16 tregon-grifon.swordarmor.fr. 10800 IN AAAA 2a00:5884:8316::1 ;; Query time: 105 msec ;; SERVER: 2001:910:800::12#53(2001:910:800::12) ;; WHEN: Mon Nov 28 11:03:33 CET 2016 ;; MSG SIZE rcvd: 186 -- alarig