Hi Benoit
So, there is an A record for www.numberportability.ch, and it's signed and resolves and validates without issue for me.
However, when I attempt to look up the AAAA record (or any other RRtype except A), I get the following response from Swizzonic's nameserver:
; <<>> DiG 9.18.9 <<>> www.numberportability.ch aaaa @2a01:8100:2901::1:183:201 +dnssec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44515 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1 ;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 1680 ;; QUESTION SECTION: ;www.numberportability.ch. IN AAAA
;; AUTHORITY SECTION: numberportability.ch. 900 IN SOA dns1.swizzonic.ch. hostmaster.swizzonic.ch. 2022121601 10800 3600 604800 86400
numberportability.ch. 900 IN RRSIG SOA 13 2 900 20230105000000 20221215000000 10556
numberportability.ch. SzRBpQzLj0tEmzfg0LN6vBVd6pDYVY5RhaJd8BFKX57yaU1xCEeVFQiB ogAb0xMsVcUMEew15KbjxDyLBGhvsw==
numberportability.ch. 86400 IN NSEC numberportability.ch. A NS SOA MX TXT RRSIG NSEC DNSKEY
numberportability.ch. 86400 IN RRSIG NSEC 13 2 86400 20230105000000 20221215000000 10556 numberportability.ch. nwLoV6Gr+DLINpw+1wARJkj6VCUEIPT3ciZGrmltkBXu7tlW3L9GF0Ht 5kCZbDooM8yMGOow0gI/EdIzYwKA+A==
;; Query time: 26 msec ;; SERVER: 2a01:8100:2901::1:183:201#53(2a01:8100:2901::1:183:201) (UDP) ;; WHEN: Wed Dec 28 16:13:41 CET 2022 ;; MSG SIZE rcvd: 390
Note the response status:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44515
It is a NOERROR rather than NXDOMAIN. This means the name server indicates that the absence of an AAAA record in the response is a NoData [rfc2308] error rather than a NXDOMAIN error, or, in other words, it claims that the domain www.numberportability.ch. exists, but doesn't have an AAAA record.
Now let's turn our eyes to the NSEC record in the response:
numberportability.ch. NSEC numberportability.ch. [... some rrtypes]
Here, Swizzonic's nameserver claims that there is no domain between numberportability.ch. and numberportability.ch., i.e. that it does not have any subdomains at all. This is in contrast to the NoData response above, and thus the DNSSEC validator considers the response bogus.
So it appears there is to be some kind of misconfiguration on Swizzonic's side.
Hope this helps in narrowing down the issue.
Regards Sebastian
[rfc2308]: https://www.rfc-editor.org/rfc/rfc2308#section-2.2