Ask the question using TCP. I suspect that the server isn’t truncating the UDP response correctly. If I’m right you will get RRSIGs for the NSEC added to the additional section. If not the zone needs to be resigned as they are missing. I’m answering from my phone or else I would look it up myself.

Mark Andrews

On 16 Mar 2024, at 04:36, Matthew Pounsett <matt@conundrum.com> wrote:

On Fri, Mar 15, 2024 at 11:26 AM Dennis Burgess via NANOG <nanog@nanog.org> wrote:

So have *.app.linktechs.net that I have been trying to get to work, we have DNSSEC on this, and its failing, but cannot for the life of me understand why. I think it may have something to do with proving it exists as a wildcard, but any DNSSEC experts want to take a stab at it ?

As others have mentioned, the DNS-operations list would be a better place to get help: <https://lists.dns-oarc.net/mailman/listinfo/dns-operations>

But, right off the top I can see that your name server is returning the NSEC record in the wrong section of the response.