dnssec issue with .hsd1.tn.comcast.net - knot-resolver-users

4 Kvě 2026

Hello,
I'm evaluating knot resolver and noticed that domains like
c-50-149-161-131.hsd1.tn.comcast.net can't be resolved by knot resolver:
$ dig @127.0.0.1 c-50-149-161-131.hsd1.tn.comcast.net a
; <<>> DiG 9.18.47-1~deb12u1-Debian <<>> @127.0.0.1
c-50-149-161-131.hsd1.tn.comcast.net a
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 20156
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; EDE: 10 (RRSIGs Missing): (JZAJ)
;; QUESTION SECTION:
;c-50-149-161-131.hsd1.tn.comcast.net. IN A
;; Query time: 484 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Mon May 04 17:07:27 CEST 2026
;; MSG SIZE  rcvd: 75
other recursors are happy with it:
$ dig @1.1.1.1 c-50-149-161-131.hsd1.tn.comcast.net a
; <<>> DiG 9.18.47-1~deb12u1-Debian <<>> @1.1.1.1
c-50-149-161-131.hsd1.tn.comcast.net a
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11935
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;c-50-149-161-131.hsd1.tn.comcast.net. IN A
;; ANSWER SECTION:
c-50-149-161-131.hsd1.tn.comcast.net. 1302 IN A 50.149.161.131
;; Query time: 8 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Mon May 04 17:14:30 CEST 2026
;; MSG SIZE  rcvd: 81
delv  seems to be happy, too:
delv @1.1.1.1 +vtrace c-50-149-161-131.hsd1.tn.comcast.net a
[...]
;; validating hsd1.tn.comcast.net/DS: in validator_callback_nsec
;; validating hsd1.tn.comcast.net/DS: looking for relevant NSEC
;; validating hsd1.tn.comcast.net/DS: nsec proves name exists (owner) data=0
;; validating hsd1.tn.comcast.net/DS: resuming validate_nx
;; validating hsd1.tn.comcast.net/DS: nonexistence proof(s) found
;; validating c-50-149-161-131.hsd1.tn.comcast.net/A: in fetch_callback_ds
;; validating c-50-149-161-131.hsd1.tn.comcast.net/A: marking as answer
(fetch_callback_ds)
; unsigned answer
c-50-149-161-131.hsd1.tn.comcast.net. 7200 IN A 50.149.161.131
here's the knot resolver debug output:
Mai 04 17:22:14 [rules ][64917.00]   => view selected action:
policy.tags_assign_bitmap(0ULL)
Mai 04 17:22:14 [iterat][64917.00]   'c-50-149-161-131.hsd1.tn.comcast.net.' type
'A' new uid was assigned .01, parent uid .00
Mai 04 17:22:14 [resolv][64917.01]   => using root hints
Mai 04 17:22:14 [iterat][64917.01]   'c-50-149-161-131.hsd1.tn.comcast.net.' type
'A' new uid was assigned .02, parent uid .00
Mai 04 17:22:14 [resolv][64917.02]   >< TA: '.'
Mai 04 17:22:14 [plan  ][64917.02]   plan '.' type 'DNSKEY' uid [64917.03]
Mai 04 17:22:14 [iterat][64917.03]     '.' type 'DNSKEY' new uid was
assigned .04, parent uid .02
Mai 04 17:22:14 [select][64917.04]     => id: '12737' choosing from addresses:
13 v4 + 13 v6; names to resolve: 0 v4 + 0 v6; force_resolve: 0; NO6: IPv6 is KO
Mai 04 17:22:14 [select][64917.04]     => id: '12737' choosing:
&#39;m.root-servers.net.&#39;(a)&#39;202.12.27.33#00053&#39; with timeout 400 ms zone cut:
'.'
Mai 04 17:22:14 [resolv][64917.04]     => id: '12737' querying:
&#39;m.root-servers.net.&#39;(a)&#39;202.12.27.33#00053&#39; zone cut: '.' qname:
'.' qtype: 'DNSKEY' proto: 'udp'
Mai 04 17:22:14 [select][64917.04]     => id: '12737' updating:
&#39;m.root-servers.net.&#39;(a)&#39;202.12.27.33#00053&#39; zone cut: '.' with rtt
16 to srtt: 16 and variance: 8
Mai 04 17:22:14 [iterat][64917.04]     <= rcode: NOERROR
Mai 04 17:22:14 [valdtr][64917.04]     <= parent: updating DNSKEY
Mai 04 17:22:14 [valdtr][64917.04]     <= answer valid, OK
Mai 04 17:22:14 [cache ][64917.04]     => stashed . DNSKEY, rank 060, 1090 B total,
incl. 1 RRSIGs
Mai 04 17:22:14 [iterat][64917.02]   'c-50-149-161-131.hsd1.tn.comcast.net.' type
'A' new uid was assigned .05, parent uid .00
Mai 04 17:22:14 [select][64917.05]   => id: '58885' choosing from addresses: 13
v4 + 13 v6; names to resolve: 0 v4 + 0 v6; force_resolve: 0; NO6: IPv6 is KO
Mai 04 17:22:14 [select][64917.05]   => id: '58885' choosing:
&#39;c.root-servers.net.&#39;(a)&#39;192.33.4.12#00053&#39; with timeout 400 ms zone cut:
'.'
Mai 04 17:22:14 [resolv][64917.05]   => id: '58885' querying:
&#39;c.root-servers.net.&#39;(a)&#39;192.33.4.12#00053&#39; zone cut: '.' qname:
'net.' qtype: 'NS' proto: 'udp'
Mai 04 17:22:14 [iterat][65570.00]   '_ta-4f66-9728.' type 'NULL' new uid
was assigned .01, parent uid .00
Mai 04 17:22:14 [resolv][65570.01]   => using root hints
Mai 04 17:22:14 [iterat][65570.01]   '_ta-4f66-9728.' type 'NULL' new uid
was assigned .02, parent uid .00
Mai 04 17:22:14 [resolv][65570.02]   >< TA: '.'
Mai 04 17:22:14 [plan  ][65570.02]   plan '.' type 'DNSKEY' uid [65570.03]
Mai 04 17:22:14 [iterat][65570.03]     '.' type 'DNSKEY' new uid was
assigned .04, parent uid .02
Mai 04 17:22:14 [cache ][65570.04]     => satisfied by exact RRset: rank 060, new TTL
86400
Mai 04 17:22:14 [iterat][65570.04]     <= rcode: NOERROR
Mai 04 17:22:14 [valdtr][65570.04]     <= parent: updating DNSKEY
Mai 04 17:22:14 [valdtr][65570.04]     <= answer valid, OK
Mai 04 17:22:14 [iterat][65570.02]   '_ta-4f66-9728.' type 'NULL' new uid
was assigned .05, parent uid .00
Mai 04 17:22:14 [select][65570.05]   => id: '08979' choosing from addresses: 13
v4 + 13 v6; names to resolve: 0 v4 + 0 v6; force_resolve: 0; NO6: IPv6 is KO
Mai 04 17:22:14 [select][65570.05]   => id: '08979' choosing:
&#39;j.root-servers.net.&#39;(a)&#39;192.58.128.30#00053&#39; with timeout 400 ms zone cut:
'.'
Mai 04 17:22:14 [resolv][65570.05]   => id: '08979' querying:
&#39;j.root-servers.net.&#39;(a)&#39;192.58.128.30#00053&#39; zone cut: '.' qname:
'_ta-4f66-9728.' qtype: 'NULL' proto: 'udp'
Mai 04 17:22:14 [select][64917.05]   => id: '58885' updating:
&#39;c.root-servers.net.&#39;(a)&#39;192.33.4.12#00053&#39; zone cut: '.' with rtt 7
to srtt: 7 and variance: 3
Mai 04 17:22:14 [iterat][64917.05]   <= authority: many glue NSs, skipping the rest
Mai 04 17:22:14 [iterat][64917.05]   <= loaded 26 glue addresses
Mai 04 17:22:14 [iterat][64917.05]   <= referral response, follow
Mai 04 17:22:14 [valdtr][64917.05]   <= DS: OK
Mai 04 17:22:14 [valdtr][64917.05]   <= answer valid, OK
Mai 04 17:22:14 [cache ][64917.05]   => stashed net. DS, rank 060, 330 B total, incl. 1
RRSIGs
Mai 04 17:22:14 [cache ][64917.05]   => stashed net. NS, rank 002, 300 B total, incl. 0
RRSIGs
Mai 04 17:22:14 [cache ][64917.05]   => stashed also 26 nonauth RRsets
Mai 04 17:22:14 [iterat][64917.05]   'c-50-149-161-131.hsd1.tn.comcast.net.' type
'A' new uid was assigned .06, parent uid .00
Mai 04 17:22:14 [plan  ][64917.06]   plan 'net.' type 'DNSKEY' uid
[64917.07]
Mai 04 17:22:14 [iterat][64917.07]     'net.' type 'DNSKEY' new uid was
assigned .08, parent uid .06
Mai 04 17:22:14 [cache ][64917.08]     => no NSEC* cached for zone: net.
Mai 04 17:22:14 [cache ][64917.08]     => skipping zone: net., NSEC, hash 0;new TTL
-123456789, ret -2
Mai 04 17:22:14 [cache ][64917.08]     => skipping zone: net., NSEC, hash 0;new TTL
-123456789, ret -2
Mai 04 17:22:14 [select][64917.08]     => id: '33392' choosing from addresses:
13 v4 + 13 v6; names to resolve: 0 v4 + 0 v6; force_resolve: 0; NO6: IPv6 is KO
Mai 04 17:22:14 [select][64917.08]     => id: '33392' choosing:
&#39;k.gtld-servers.net.&#39;(a)&#39;192.52.178.30#00053&#39; with timeout 400 ms zone cut:
'net.'
Mai 04 17:22:14 [resolv][64917.08]     => id: '33392' querying:
&#39;k.gtld-servers.net.&#39;(a)&#39;192.52.178.30#00053&#39; zone cut: 'net.'
qname: 'net.' qtype: 'DNSKEY' proto: 'udp'
Mai 04 17:22:14 [select][65570.05]   => id: '08979' updating:
&#39;j.root-servers.net.&#39;(a)&#39;192.58.128.30#00053&#39; zone cut: '.' with rtt
7 to srtt: 7 and variance: 3
Mai 04 17:22:14 [iterat][65570.05]   <= rcode: NXDOMAIN
Mai 04 17:22:14 [valdtr][65570.05]   <= answer valid, OK
Mai 04 17:22:14 [cache ][65570.05]   => stashed . NSEC, rank 060, 310 B total, incl. 1
RRSIGs
Mai 04 17:22:14 [cache ][65570.05]   => stashed . SOA, rank 060, 358 B total, incl. 1
RRSIGs
Mai 04 17:22:14 [cache ][65570.05]   => nsec_p stashed for . (new, hash: 0)
Mai 04 17:22:14 [resolv][65570.05]   AD: request classified as SECURE
Mai 04 17:22:14 [resolv][65570.05]   finished in state: 4, queries: 2, mempool: 98352 B
Mai 04 17:22:14 [select][64917.08]     => id: '33392' updating:
&#39;k.gtld-servers.net.&#39;(a)&#39;192.52.178.30#00053&#39; zone cut: 'net.' with
rtt 25 to srtt: 25 and variance: 12
Mai 04 17:22:14 [iterat][64917.08]     <= rcode: NOERROR
Mai 04 17:22:14 [valdtr][64917.08]     <= parent: updating DNSKEY
Mai 04 17:22:14 [valdtr][64917.08]     <= answer valid, OK
Mai 04 17:22:14 [cache ][64917.08]     => stashed net. DNSKEY, rank 060, 244 B total,
incl. 1 RRSIGs
Mai 04 17:22:14 [iterat][64917.06]   'c-50-149-161-131.hsd1.tn.comcast.net.' type
'A' new uid was assigned .09, parent uid .00
Mai 04 17:22:14 [select][64917.09]   => id: '14990' choosing from addresses: 13
v4 + 13 v6; names to resolve: 0 v4 + 0 v6; force_resolve: 0; NO6: IPv6 is KO
Mai 04 17:22:14 [select][64917.09]   => id: '14990' choosing:
&#39;f.gtld-servers.net.&#39;(a)&#39;192.35.51.30#00053&#39; with timeout 400 ms zone cut:
'net.'
Mai 04 17:22:14 [resolv][64917.09]   => id: '14990' querying:
&#39;f.gtld-servers.net.&#39;(a)&#39;192.35.51.30#00053&#39; zone cut: 'net.' qname:
'comcast.net.' qtype: 'NS' proto: 'udp'
Mai 04 17:22:14 [select][64917.09]   => id: '14990' updating:
&#39;f.gtld-servers.net.&#39;(a)&#39;192.35.51.30#00053&#39; zone cut: 'net.' with
rtt 8 to srtt: 8 and variance: 4
Mai 04 17:22:14 [iterat][64917.09]   <= loaded 10 glue addresses
Mai 04 17:22:14 [iterat][64917.09]   <= referral response, follow
Mai 04 17:22:14 [valdtr][64917.09]   <= DS: OK
Mai 04 17:22:14 [valdtr][64917.09]   <= answer valid, OK
Mai 04 17:22:14 [cache ][64917.09]   => stashed comcast.net. DS, rank 060, 168 B total,
incl. 1 RRSIGs
Mai 04 17:22:14 [cache ][64917.09]   => stashed comcast.net. NS, rank 002, 124 B total,
incl. 0 RRSIGs
Mai 04 17:22:14 [cache ][64917.09]   => stashed also 10 nonauth RRsets
Mai 04 17:22:14 [iterat][64917.09]   'c-50-149-161-131.hsd1.tn.comcast.net.' type
'A' new uid was assigned .10, parent uid .00
Mai 04 17:22:14 [plan  ][64917.10]   plan 'comcast.net.' type 'DNSKEY' uid
[64917.11]
Mai 04 17:22:14 [iterat][64917.11]     'comcast.net.' type 'DNSKEY' new
uid was assigned .12, parent uid .10
Mai 04 17:22:14 [cache ][64917.12]     => no NSEC* cached for zone: comcast.net.
Mai 04 17:22:14 [cache ][64917.12]     => skipping zone: comcast.net., NSEC, hash 0;new
TTL -123456789, ret -2
Mai 04 17:22:14 [cache ][64917.12]     => skipping zone: comcast.net., NSEC, hash 0;new
TTL -123456789, ret -2
Mai 04 17:22:14 [select][64917.12]     => id: '06051' choosing from addresses:
5 v4 + 5 v6; names to resolve: 0 v4 + 0 v6; force_resolve: 0; NO6: IPv6 is KO
Mai 04 17:22:14 [select][64917.12]     => id: '06051' choosing:
&#39;dns101.comcast.net.&#39;(a)&#39;69.252.250.103#00053&#39; with timeout 400 ms zone cut:
'comcast.net.'
Mai 04 17:22:14 [resolv][64917.12]     => id: '06051' querying:
&#39;dns101.comcast.net.&#39;(a)&#39;69.252.250.103#00053&#39; zone cut:
'comcast.net.' qname: 'comcast.net.' qtype: 'DNSKEY' proto:
'udp'
Mai 04 17:22:14 [select][64917.12]     => id: '06051' updating:
&#39;dns101.comcast.net.&#39;(a)&#39;69.252.250.103#00053&#39; zone cut:
'comcast.net.' with rtt 115 to srtt: 115 and variance: 57
Mai 04 17:22:14 [iterat][64917.12]     <= rcode: NOERROR
Mai 04 17:22:14 [valdtr][64917.12]     <= parent: updating DNSKEY
Mai 04 17:22:14 [valdtr][64917.12]     <= answer valid, OK
Mai 04 17:22:14 [cache ][64917.12]     => stashed comcast.net. DNSKEY, rank 060, 870 B
total, incl. 2 RRSIGs
Mai 04 17:22:14 [iterat][64917.10]   'c-50-149-161-131.hsd1.tn.comcast.net.' type
'A' new uid was assigned .13, parent uid .00
Mai 04 17:22:14 [select][64917.13]   => id: '54966' choosing from addresses: 5
v4 + 5 v6; names to resolve: 0 v4 + 0 v6; force_resolve: 0; NO6: IPv6 is KO
Mai 04 17:22:14 [select][64917.13]   => id: '54966' choosing:
&#39;dns105.comcast.net.&#39;(a)&#39;68.87.72.244#00053&#39; with timeout 400 ms zone cut:
'comcast.net.'
Mai 04 17:22:14 [resolv][64917.13]   => id: '54966' querying:
&#39;dns105.comcast.net.&#39;(a)&#39;68.87.72.244#00053&#39; zone cut:
'comcast.net.' qname: 'tn.comcast.net.' qtype: 'NS' proto:
'udp'
Mai 04 17:22:14 [select][64917.13]   => id: '54966' updating:
&#39;dns105.comcast.net.&#39;(a)&#39;68.87.72.244#00053&#39; zone cut:
'comcast.net.' with rtt 142 to srtt: 142 and variance: 71
Mai 04 17:22:14 [iterat][64917.13]   <= rcode: NOERROR
Mai 04 17:22:14 [iterat][64917.13]   <= retrying with non-minimized name
Mai 04 17:22:14 [iterat][64917.13]   'c-50-149-161-131.hsd1.tn.comcast.net.' type
'A' new uid was assigned .14, parent uid .00
Mai 04 17:22:14 [select][64917.14]   => id: '27279' choosing from addresses: 5
v4 + 5 v6; names to resolve: 0 v4 + 0 v6; force_resolve: 0; NO6: IPv6 is KO
Mai 04 17:22:14 [select][64917.14]   => id: '27279' choosing:
&#39;dns103.comcast.net.&#39;(a)&#39;68.87.76.228#00053&#39; with timeout 400 ms zone cut:
'comcast.net.'
Mai 04 17:22:14 [resolv][64917.14]   => id: '27279' querying:
&#39;dns103.comcast.net.&#39;(a)&#39;68.87.76.228#00053&#39; zone cut:
'comcast.net.' qname: 'c-50-149-161-131.hsd1.tn.comcast.net.' qtype:
'A' proto: 'udp'
Mai 04 17:22:15 [select][64917.14]   => id: '27279' updating:
&#39;dns103.comcast.net.&#39;(a)&#39;68.87.76.228#00053&#39; zone cut:
'comcast.net.' with rtt 180 to srtt: 180 and variance: 90
Mai 04 17:22:15 [iterat][64917.14]   <= rcode: NOERROR
Mai 04 17:22:15 [valdtr][64917.14]   >< cut changed, needs revalidation
Mai 04 17:22:15 [resolv][64917.14]   => resuming yielded answer
Mai 04 17:22:15 [valdtr][64917.14]   >< no valid RRSIGs found:
c-50-149-161-131.hsd1.tn.comcast.net. A (0 matching RRSIGs, 0 expired, 0 not yet valid, 0
invalid signer, 0 invalid label count, 0 invalid key, 0 invalid crypto, 0 invalid NSEC)
Mai 04 17:22:15 [plan  ][64917.14]   plan 'tn.comcast.net.' type 'DS' uid
[64917.15]
Mai 04 17:22:15 [iterat][64917.15]     'tn.comcast.net.' type 'DS' new uid
was assigned .16, parent uid .14
Mai 04 17:22:15 [cache ][64917.16]     => no NSEC* cached for zone: comcast.net.
Mai 04 17:22:15 [cache ][64917.16]     => skipping zone: comcast.net., NSEC, hash 0;new
TTL -123456789, ret -2
Mai 04 17:22:15 [cache ][64917.16]     => skipping zone: comcast.net., NSEC, hash 0;new
TTL -123456789, ret -2
Mai 04 17:22:15 [select][64917.16]     => id: '58255' choosing from addresses:
5 v4 + 5 v6; names to resolve: 0 v4 + 0 v6; force_resolve: 0; NO6: IPv6 is KO
Mai 04 17:22:15 [select][64917.16]     => id: '58255' choosing:
&#39;dns104.comcast.net.&#39;(a)&#39;68.87.68.244#00053&#39; with timeout 400 ms zone cut:
'comcast.net.'
Mai 04 17:22:15 [resolv][64917.16]     => id: '58255' querying:
&#39;dns104.comcast.net.&#39;(a)&#39;68.87.68.244#00053&#39; zone cut:
'comcast.net.' qname: 'tn.comcast.net.' qtype: 'DS' proto:
'udp'
Mai 04 17:22:15 [select][64917.16]     => id: '58255' updating:
&#39;dns104.comcast.net.&#39;(a)&#39;68.87.68.244#00053&#39; zone cut:
'comcast.net.' with rtt 149 to srtt: 149 and variance: 74
Mai 04 17:22:15 [iterat][64917.16]     <= rcode: NOERROR
Mai 04 17:22:15 [valdtr][64917.16]     <= parent: updating DS
Mai 04 17:22:15 [valdtr][64917.16]     <= answer valid, OK
Mai 04 17:22:15 [cache ][64917.16]     => stashed tmwtwabv02w-cisco-cbmr.comcast.net.
NSEC, rank 060, 212 B total, incl. 1 RRSIGs
Mai 04 17:22:15 [cache ][64917.16]     => stashed comcast.net. SOA, rank 060, 248 B
total, incl. 1 RRSIGs
Mai 04 17:22:15 [cache ][64917.16]     => nsec_p stashed for comcast.net. (new, hash:
0)
Mai 04 17:22:15 [resolv][64917.14]   => resuming yielded answer
Mai 04 17:22:15 [valdtr][64917.14]   >< no valid RRSIGs found:
c-50-149-161-131.hsd1.tn.comcast.net. A (0 matching RRSIGs, 0 expired, 0 not yet valid, 0
invalid signer, 0 invalid label count, 0 invalid key, 0 invalid crypto, 0 invalid NSEC)
Mai 04 17:22:15 [plan  ][64917.14]   plan 'tn.comcast.net.' type 'DS' uid
[64917.17]
Mai 04 17:22:15 [iterat][64917.17]     'tn.comcast.net.' type 'DS' new uid
was assigned .18, parent uid .14
Mai 04 17:22:15 [cache ][64917.18]     => trying zone: comcast.net., NSEC, hash 0
Mai 04 17:22:15 [cache ][64917.18]     => NSEC sname: covered by:
tmwtwabv02w-cisco-cbmr.comcast.net. -> andrsn01.tn.comcast.net., new TTL 900
Mai 04 17:22:15 [cache ][64917.18]     => NSEC sname: empty non-terminal by the same RR
Mai 04 17:22:15 [iterat][64917.18]     <= rcode: NOERROR
Mai 04 17:22:15 [valdtr][64917.18]     <= parent: updating DS
Mai 04 17:22:15 [valdtr][64917.18]     <= answer valid, OK
Mai 04 17:22:15 [resolv][64917.14]   => resuming yielded answer
Mai 04 17:22:15 [valdtr][64917.14]   >< no valid RRSIGs found:
c-50-149-161-131.hsd1.tn.comcast.net. A (0 matching RRSIGs, 0 expired, 0 not yet valid, 0
invalid signer, 0 invalid label count, 0 invalid key, 0 invalid crypto, 0 invalid NSEC)
Mai 04 17:22:15 [valdtr][64917.14]   <= continuous revalidation, fails
Mai 04 17:22:15 [cache ][64917.14]   => stashed c-50-149-161-131.hsd1.tn.comcast.net.
A, rank 027, 20 B total, incl. 0 RRSIGs
Mai 04 17:22:15 [cache ][64917.14]   => not overwriting A
c-50-149-161-131.hsd1.tn.comcast.net.
Mai 04 17:22:15 [resolv][64917.00] request failed, answering with empty SERVFAIL
Mai 04 17:22:15 [resolv][64917.14]   finished in state: 8, queries: 5, mempool: 98400 B
I'm wondering what's wrong here and if it's possible to mitigate that.
Best regards,
Matthias