Am 2022-12-30 11:21, schrieb Benoît Panizzon via swinog:
Hi Markus
the name server from swizzonic is not supposed to provide you with a answer to all the queries.
I guess if I point to our recursive validating caching NS and it does not possess this data in it's cache, it will start by following from the root by asking for _.numberportability.ch to avoid revealing which host it is exactly looking for until it reaches the authoritative DNS for that zone and then ask this one directly for the desired RR.
I guess this is where something is breaking the chain.
I also don't see why the swizzonic DNS which is the authoritative primary should not answer to all queries.
If I want to or need to ask the (supposedly) authoritative server(s) about a domain, I add +norecurs.
I believe, if you disable recursive queries on the authoritative-server, it will not answer them, even if it technically could.
Does DNSSEC change that?