On Fri, Mar 15, 2024 at 11:26 AM Dennis Burgess via NANOG <nanog@nanog.org> wrote:

So have *.app.linktechs.net that I have been trying to get to work, we have DNSSEC on this, and its failing, but cannot for the life of me understand why.  I think it may have something to do with proving it exists as a wildcard, but any DNSSEC experts want to take a stab at it ? 


As others have mentioned, the DNS-operations list would be a better place to get help:  <https://lists.dns-oarc.net/mailman/listinfo/dns-operations>

But, right off the top I can see that your name server is returning the NSEC record in the wrong section of the response.