Inconsistent handling of malformed response

matsduf commented 1 year ago

Observations of rfv.se

Testing rfv.se gives the following output (DNSSEC10):

$ zonemaster-cli rfv.se --test dnssec/dnssec10
Seconds Level    Testcase       Message
======= ======== ============== =======
   0.00 INFO     UNSPECIFIED    Using version v4.7.3 of the Zonemaster engine.
   2.69 ERROR    DNSSEC10       No response or error in response on an expected non-existent name. Fetched from the nameservers with IP addresses "194.71.70.189;194.71.70.190;2001:67c:2384:5003::189;2001:67c:2384:5003::190".
   2.69 INFO     DNSSEC10       The zone has NSEC3 records. Fetched from the nameservers with IP addresses "162.219.54.130;162.219.55.130;185.42.137.101;194.58.192.48;194.58.198.48;2620:10a:80eb::42;2620:10a:80ec::42;2a01:3f0:400::48;2a01:3f1:3048::53;2a01:3f1:48::53".

What is interesting here is No response or error in response on an expected non-existent name. I ran the the following command and looked for 194.71.70.189.

zonemaster-cli rfv.se --test dnssec/dnssec10 --level debug3 > rfv.se.log

I found the following in the log file:

   2.35 DEBUG2   DNSSEC10       SYSTEM:DNSSEC10:QUERY flags={"dnssec":1,"usevc":0}; ip=194.71.70.189; name=xx--oplk4f3fgh9lksdfhu7h--xx.rfv.se; type=A
   2.35 DEBUG    DNSSEC10       SYSTEM:DNSSEC10:EXTERNAL_QUERY flags={"class":"IN","dnssec":1,"usevc":0}; ip=194.71.70.189; name=xx--oplk4f3fgh9lksdfhu7h--xx.rfv.se; type=A
   2.36 DEBUG    DNSSEC10       DNS query to ns1.sgit.se/194.71.70.189 for xx--oplk4f3fgh9lksdfhu7h--xx.rfv.se/A/IN failed with error: authority section incomplete.
   2.36 DEBUG3   DNSSEC10       SYSTEM:DNSSEC10:EMPTY_RETURN 
   2.36 DEBUG3   DNSSEC10       SYSTEM:DNSSEC10:CACHED_RETURN packet=undef

To note that Zonemaster says failed with error: authority section incomplete and that the response is cached as no response, i.e. as if there was no response at all.

And indeed there is something wrong (the query over UDP leads to a truncated response with a malformed packet):

$ dig @194.71.70.189 xx--oplk4f3fgh9lksdfhu7h--xx.rfv.se A +dnssec +norec +ignore +noidnin +noidnout
;; Warning: Message parser reports malformed message packet.

; <<>> DiG 9.18.14 <<>> @194.71.70.189 xx--oplk4f3fgh9lksdfhu7h--xx.rfv.se A +dnssec +norec +ignore +noidnin +noidnout
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 5265
;; flags: qr aa tc; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1

;; QUESTION SECTION:
;xx--oplk4f3fgh9lksdfhu7h--xx.rfv.se. IN    A

;; AUTHORITY SECTION:
.           32768   CLASS4096 OPT   

;; Query time: 10 msec
;; SERVER: 194.71.70.189#53(194.71.70.189) (UDP)
;; WHEN: Fri Oct 20 14:49:00 UTC 2023
;; MSG SIZE  rcvd: 64

Note that it says "AUTHORITY: 6" but there are actually no records for the authority section. The one records shown there really belongs to the additional section.

The TC flag is set, and if a new query over TCP is sent, then a well-formed response is sent. If the +ignore parameter is removed, then dig will automatically retry with TCP:

$ dig @194.71.70.189 xx--oplk4f3fgh9lksdfhu7h--xx.rfv.se A +dnssec +norec +noidnin +noidnout
;; Warning: Message parser reports malformed message packet.
;; Truncated, retrying in TCP mode.
(...)

If dig is run with +tcp no malformed packet is reported.

Observations of riksforsakringsverket.se

riksforsakringsverket.se is a sister to rfv.se, but for that no error is reported by zonemaster-cli:

$ zonemaster-cli riksforsakringsverket.se --test dnssec/dnssec10
Seconds Level    Testcase       Message
======= ======== ============== =======
   0.00 INFO     UNSPECIFIED    Using version v4.7.3 of the Zonemaster engine.
   2.58 INFO     DNSSEC10       The zone has NSEC3 records. Fetched from the nameservers with IP addresses "162.219.54.130;162.219.55.130;185.42.137.101;194.58.192.48;194.58.198.48;194.71.70.189;194.71.70.190;2001:67c:2384:5003::189;2001:67c:2384:5003::190;2620:10a:80eb::42;2620:10a:80ec::42;2a01:3f0:400::48;2a01:3f1:3048::53;2a01:3f1:48::53".

However, both zones are hosted on the same set of NS. And when sending a query with dig, the same malformed response is returned for riksforsakringsverket.se:

$ dig @194.71.70.189 xx--oplk4f3fgh9lksdfhu7h--xx.riksforsakringsverket.se A +dnssec +norec +noidnin +noidnout +ignore
;; Warning: Message parser reports malformed message packet.

; <<>> DiG 9.18.14 <<>> @194.71.70.189 xx--oplk4f3fgh9lksdfhu7h--xx.riksforsakringsverket.se A +dnssec +norec +noidnin +noidnout +ignore
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 38980
;; flags: qr aa tc; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 1

;; QUESTION SECTION:
;xx--oplk4f3fgh9lksdfhu7h--xx.riksforsakringsverket.se. IN A

;; AUTHORITY SECTION:
.           32768   CLASS4096 OPT   

;; Query time: 10 msec
;; SERVER: 194.71.70.189#53(194.71.70.189) (UDP)
;; WHEN: Fri Oct 20 15:02:41 UTC 2023
;; MSG SIZE  rcvd: 82

Conclusions

Preferably Zonemaster should in a case like rfv.se
1. Output a message on ERROR level with the error message text from the system (translation is not required).
2. Just like dig requery of TCP with the TC flag is set, even if the remaining of the packet is malformed.
Preferably Zonemaster should discover the malformed packet also in the case of riksforsakringsverket.se

tgreenx commented 1 year ago

This is an LDNS internal error. See https://github.com/NLnetLabs/ldns/blob/173fbf303518d060e0d2bdc0bbd1830c0ec8f21d/error.c#L65 and https://github.com/NLnetLabs/ldns/blob/173fbf303518d060e0d2bdc0bbd1830c0ec8f21d/wire2host.c#L448-L450. I don't think we can do much about it.

matsduf commented 1 year ago

That error could be captured, couldn't it? If so Zonemaster could have the logic to resend the query over TCP if the following requirements are fullfilled:

The query was sent over UDP.
ldns reports error on answer, authority or additional section.
TC bit is set.
The test case has not specified that querying over TCP should not be done.

It assumes that it is possible to read the TC bit. If it is not readable, then a more aggressive approach would be to retry over TCP anyway.

matsduf commented 1 year ago

I also wonder about the inconsistency between rfv.se and riksforsakringsverket.se...

tgreenx commented 1 year ago

@matsduf Oddly enough, although the error is still present, I can't seem to be able to reproduce the behavior from Zonemaster:

$ dig @194.71.70.189 xx--oplk4f3fgh9lksdfhu7h--xx.rfv.se A +dnssec +norec +ignore +noidnin +noidnout
;; Warning: Message parser reports malformed message packet.

; <<>> DiG 9.18.19-1~deb12u1-Debian <<>> @194.71.70.189 xx--oplk4f3fgh9lksdfhu7h--xx.rfv.se A +dnssec +norec +ignore +noidnin +noidnout
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 1067
;; flags: qr aa tc; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 1

;; QUESTION SECTION:
;xx--oplk4f3fgh9lksdfhu7h--xx.rfv.se. IN        A

;; AUTHORITY SECTION:
.                       32768   CLASS4096 OPT

;; Query time: 40 msec
;; SERVER: 194.71.70.189#53(194.71.70.189) (UDP)
;; WHEN: Wed Nov 08 11:06:06 CET 2023
;; MSG SIZE  rcvd: 64

$ git log -1 --oneline
9b8888ce (HEAD -> master, tag: v4.7.3, upstream/master, upstream/HEAD) Merge pull request #1289 from zonemaster/releases/v2023.1.4

$ zonemaster-cli rfv.se --test dnssec/dnssec10 --level info --no-ipv6
Seconds Level    Message
======= ======== =======
   0.00 INFO     Using version v4.7.3 of the Zonemaster engine.
   4.77 INFO     The zone has NSEC3 records. Fetched from the nameservers with IP addresses "162.219.54.130;162.219.55.130;185.42.137.101;194.58.192.48;194.58.198.48;194.71.70.189;194.71.70.190".

$ zonemaster-cli rfv.se --test dnssec/dnssec10 --level debug3 > rfv.se.log

[...]

   9.06 DEBUG2   SYSTEM:DNSSEC10:QUERY flags={"dnssec":1,"usevc":0}; ip=194.71.70.189; name=xx--oplk4f3fgh9lksdfhu7h--xx.rfv.se; type=A
   9.06 DEBUG    SYSTEM:DNSSEC10:EXTERNAL_QUERY flags={"class":"IN","dnssec":1,"usevc":0}; ip=194.71.70.189; name=xx--oplk4f3fgh9lksdfhu7h--xx.rfv.se; type=A
   9.19 DEBUG3   SYSTEM:DNSSEC10:EXTERNAL_RESPONSE packet=
                 ;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 35617
                 ;; flags: qr aa ; QUERY: 1, ANSWER: 0, AUTHORITY: 9, ADDITIONAL: 0 
                 ;; QUESTION SECTION:
                 ;; xx--oplk4f3fgh9lksdfhu7h--xx.rfv.se.    IN  A

                 ;; ANSWER SECTION:

                 ;; AUTHORITY SECTION:
                 q87h5j08tdm01l30k032vl3gqoohp1oj.rfv.se.   900 IN  NSEC3   1 0 10 4c1a362edc2e3c  rg8nb5gqu210lp7gn3rk4hp5vn0tbb8r A NS SOA MX TXT RRSIG DNSKEY NSEC3PARAM 
                 q87h5j08tdm01l30k032vl3gqoohp1oj.rfv.se.   900 IN  RRSIG   NSEC3 8 3 900 20231115085703 20231107081804 1503 rfv.se. IFH14QkFp8YlGijJ509oYBB1Up0Cv8fsd5mRqlB4K212HFcQn9pSnLEUaaEROhfdHFwdKEoQaiM37i8DyRa/WKzsWj+2w2n+TKrnqbZfiPw35TP7I++jj2Gqa226VTqGeITFKesETbYffhqCGUohQq4oIBx8calYzQgjJBK3Cu9SWxZVn5eNIZUc3eBQE33KgyCUHpe8vlJMG8lntfO5D2QH6sCcpVTR4J9q2drDoHsk0ChRyzJvGS0W3qCOgcmPw0ncmE4PBjBH99r2Q9GwlWSRW/UCWFopXkzglUVw82d59Ba3Rg8cETa81Fx4OTQBh7327Dr2Nv68xFsFsVJVLg==
                 q87h5j08tdm01l30k032vl3gqoohp1oj.rfv.se.   900 IN  RRSIG   NSEC3 8 3 900 20231115085703 20231107081804 7131 rfv.se. n29arI2hFErnBImb8sau6Yh4B72yLsbMih5cIQJUBLZuPYonF2eB7ejwNtxucbZCktnCWtpDj7nGED+ZjEU4rqBEPzR34zBwM+JVcaAbcu5SY7zvHxGOWnCeGovBcSiUaxuRcVsili9YwnSpKTtsmWSyqCg34wpeGfSGugghZw58Ld5HlW0lqXVDHHW+nZa2W/OdG8AvHJ6cVCKg1ON5FclKCOXtcqT6LJ3eT40/ocS7b0gT8CPwQDrVwDg445BlXlA63nJ1TCqDXohnLECqiZm/nlCSpPCWn8tTrtkEaGkzeMXkP3I5BXet9c3F5k+xT6/JDi0JnowMNnvjVsfHbQ==
                 md9tbun7khnp47v7if2825ua3q1pamg0.rfv.se.   900 IN  NSEC3   1 0 10 4c1a362edc2e3c  o4q5g5r4kqdd6itcc9fo865auuntkvqs
                 md9tbun7khnp47v7if2825ua3q1pamg0.rfv.se.   900 IN  RRSIG   NSEC3 8 3 900 20231115085703 20231107081804 1503 rfv.se. HqzBH9i1mwF/WDX1gUDJT+jrV+VaZOOcVZcaYd+qSoGLAGr6O1POmhUq2VAPLvHPfZ98MkOk9fpopd7aTJDf9ROxat/SqnB52YPVgyqZ4KIkj9s6UMxhiRxA7eY/Q3PjRM+PecjiJ8wXGy9RAMNI88gYut1fxWJAStFx4CyZDDd9XWv1IScJ0bRFfIowSxV9RjDrtdSv9cVCh5Uo2/Pdbnl6tO3rbizXrXvfNsmMB0HwNZ3OK+BwFIbC8LjyBEwpEAEXq2J8qnPGML5V8LUKbeBjxykgIk+gzv8XkFKV5On4oojHvwSR+eCbSh0zzE/CkhUhYmsqhP0RFoAN3QIdpA==
                 md9tbun7khnp47v7if2825ua3q1pamg0.rfv.se.   900 IN  RRSIG   NSEC3 8 3 900 20231115085703 20231107081804 7131 rfv.se. uaJOmG8IQA0kHJbxhoTI2iDSoNo5Wdfm93S5sud7G2RYScCeXPW9AzHBcs5JOUMfSitsJT1V9mZazOZZQl2sn9QMlkdVQzkS2lsTpYlff+ke/aI9SLSzH1mvlFCISWO6oh6W6EzF/axrGpjJUebqDjR0tMpjYULakFx6kyxGBu0a/uNWceloiDPgAFPcupgffeT2BdHUtxpzqDfQzwPGGh17u3tJxoBFVLR1aqIYJ8bMFCQ5CLo/svrMEmf9Bs8UbhGbNfBlfH7Mqi4h5aWPGafBfwtsmYoCOLTmYUlwgaU8GB8yKBNgBta0lTJ4C7QvYIciIxBdSkNuj7rcvxvLvg==
                 rfv.se.    900 IN  SOA ns1.sgit.se. dnsmaster.forsakringskassan.se. 2009088397 900 90 2592000 900
                 rfv.se.    900 IN  RRSIG   SOA 8 2 3600 20231116054903 20231108044903 1503 rfv.se. gWiaI0k0Pq3BihLDYqMuxOjeyV/J2x8AUeUz8pNi6ynW/O6mT7ecofE0YWwm3JR2jk1yGHDPjaLHSzPN9jo/AsGsshsnaVibBI8Na55jLs6zT6vb8W1Ym81/qVZ0Yp1pad49bzNNDSZs5niv1ZjwpBkN+iWxq+nA0ax4+w7UprxLaIUBxRJ2Obys388UkcUqoU9vYlHbCwl3SkfCaBUkqCIClIlww7sMAC6+CsVdWt41hm0IssXCwme7YmyY3F2+RC84uTc4VDMoVEaTvNTEcPnjrrae3PYiClAUIx1gw5zeczkoG2XtH0N/kdqMoSeJeJToi1dqu4qqUKsVPf+Bww==
                 rfv.se.    900 IN  RRSIG   SOA 8 2 3600 20231116054903 20231108044903 7131 rfv.se. sH+jNUvWkt5jKxBIw43ng0O5bPVFlo05peFmesY4Qwb/IN1s2n68vwLrC8msSazLeoU4lDA/XYWEXJOVZDbWWt8MloyA+VukhvOeHEmDK4SaTPe319XMhRsUERN//+OplGsOV/TQg2xRqLu3qqHDil8vtZJ2GAyzb8qPulIfw0Xrg2v0kT0XrzWyFC1WnNOeavkceAZSwPYnljmNec2Eddbd3VV+Wy6sHIhltUUz0Z9jj704z6PJv2A/URHi4Iw8LdExJRGPKMk4YE56DJbDirdNFXMzOnUSZLtMjuv5fwT21PgkHH13fDy/Lr/zFW40HhHH18vXDWYz04Ja7nhs/w==

                 ;; ADDITIONAL SECTION:

                 ;; Query time: 85 msec
                 ;; EDNS: version 0; flags: do ; udp: 4096
                 ;; SERVER: 194.71.70.189
                 ;; WHEN: Wed Nov  8 11:14:23 2023
                 ;; MSG SIZE  rcvd: 2066
   9.19 DEBUG3   SYSTEM:DNSSEC10:CACHED_RETURN packet=
                 ;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 35617
                 ;; flags: qr aa ; QUERY: 1, ANSWER: 0, AUTHORITY: 9, ADDITIONAL: 0 
                 ;; QUESTION SECTION:
                 ;; xx--oplk4f3fgh9lksdfhu7h--xx.rfv.se.    IN  A

                 ;; ANSWER SECTION:

                 ;; AUTHORITY SECTION:
                 q87h5j08tdm01l30k032vl3gqoohp1oj.rfv.se.   900 IN  NSEC3   1 0 10 4c1a362edc2e3c  rg8nb5gqu210lp7gn3rk4hp5vn0tbb8r A NS SOA MX TXT RRSIG DNSKEY NSEC3PARAM 
                 q87h5j08tdm01l30k032vl3gqoohp1oj.rfv.se.   900 IN  RRSIG   NSEC3 8 3 900 20231115085703 20231107081804 1503 rfv.se. IFH14QkFp8YlGijJ509oYBB1Up0Cv8fsd5mRqlB4K212HFcQn9pSnLEUaaEROhfdHFwdKEoQaiM37i8DyRa/WKzsWj+2w2n+TKrnqbZfiPw35TP7I++jj2Gqa226VTqGeITFKesETbYffhqCGUohQq4oIBx8calYzQgjJBK3Cu9SWxZVn5eNIZUc3eBQE33KgyCUHpe8vlJMG8lntfO5D2QH6sCcpVTR4J9q2drDoHsk0ChRyzJvGS0W3qCOgcmPw0ncmE4PBjBH99r2Q9GwlWSRW/UCWFopXkzglUVw82d59Ba3Rg8cETa81Fx4OTQBh7327Dr2Nv68xFsFsVJVLg==
                 q87h5j08tdm01l30k032vl3gqoohp1oj.rfv.se.   900 IN  RRSIG   NSEC3 8 3 900 20231115085703 20231107081804 7131 rfv.se. n29arI2hFErnBImb8sau6Yh4B72yLsbMih5cIQJUBLZuPYonF2eB7ejwNtxucbZCktnCWtpDj7nGED+ZjEU4rqBEPzR34zBwM+JVcaAbcu5SY7zvHxGOWnCeGovBcSiUaxuRcVsili9YwnSpKTtsmWSyqCg34wpeGfSGugghZw58Ld5HlW0lqXVDHHW+nZa2W/OdG8AvHJ6cVCKg1ON5FclKCOXtcqT6LJ3eT40/ocS7b0gT8CPwQDrVwDg445BlXlA63nJ1TCqDXohnLECqiZm/nlCSpPCWn8tTrtkEaGkzeMXkP3I5BXet9c3F5k+xT6/JDi0JnowMNnvjVsfHbQ==
                 md9tbun7khnp47v7if2825ua3q1pamg0.rfv.se.   900 IN  NSEC3   1 0 10 4c1a362edc2e3c  o4q5g5r4kqdd6itcc9fo865auuntkvqs
                 md9tbun7khnp47v7if2825ua3q1pamg0.rfv.se.   900 IN  RRSIG   NSEC3 8 3 900 20231115085703 20231107081804 1503 rfv.se. HqzBH9i1mwF/WDX1gUDJT+jrV+VaZOOcVZcaYd+qSoGLAGr6O1POmhUq2VAPLvHPfZ98MkOk9fpopd7aTJDf9ROxat/SqnB52YPVgyqZ4KIkj9s6UMxhiRxA7eY/Q3PjRM+PecjiJ8wXGy9RAMNI88gYut1fxWJAStFx4CyZDDd9XWv1IScJ0bRFfIowSxV9RjDrtdSv9cVCh5Uo2/Pdbnl6tO3rbizXrXvfNsmMB0HwNZ3OK+BwFIbC8LjyBEwpEAEXq2J8qnPGML5V8LUKbeBjxykgIk+gzv8XkFKV5On4oojHvwSR+eCbSh0zzE/CkhUhYmsqhP0RFoAN3QIdpA==
                 md9tbun7khnp47v7if2825ua3q1pamg0.rfv.se.   900 IN  RRSIG   NSEC3 8 3 900 20231115085703 20231107081804 7131 rfv.se. uaJOmG8IQA0kHJbxhoTI2iDSoNo5Wdfm93S5sud7G2RYScCeXPW9AzHBcs5JOUMfSitsJT1V9mZazOZZQl2sn9QMlkdVQzkS2lsTpYlff+ke/aI9SLSzH1mvlFCISWO6oh6W6EzF/axrGpjJUebqDjR0tMpjYULakFx6kyxGBu0a/uNWceloiDPgAFPcupgffeT2BdHUtxpzqDfQzwPGGh17u3tJxoBFVLR1aqIYJ8bMFCQ5CLo/svrMEmf9Bs8UbhGbNfBlfH7Mqi4h5aWPGafBfwtsmYoCOLTmYUlwgaU8GB8yKBNgBta0lTJ4C7QvYIciIxBdSkNuj7rcvxvLvg==
                 rfv.se.    900 IN  SOA ns1.sgit.se. dnsmaster.forsakringskassan.se. 2009088397 900 90 2592000 900
                 rfv.se.    900 IN  RRSIG   SOA 8 2 3600 20231116054903 20231108044903 1503 rfv.se. gWiaI0k0Pq3BihLDYqMuxOjeyV/J2x8AUeUz8pNi6ynW/O6mT7ecofE0YWwm3JR2jk1yGHDPjaLHSzPN9jo/AsGsshsnaVibBI8Na55jLs6zT6vb8W1Ym81/qVZ0Yp1pad49bzNNDSZs5niv1ZjwpBkN+iWxq+nA0ax4+w7UprxLaIUBxRJ2Obys388UkcUqoU9vYlHbCwl3SkfCaBUkqCIClIlww7sMAC6+CsVdWt41hm0IssXCwme7YmyY3F2+RC84uTc4VDMoVEaTvNTEcPnjrrae3PYiClAUIx1gw5zeczkoG2XtH0N/kdqMoSeJeJToi1dqu4qqUKsVPf+Bww==
                 rfv.se.    900 IN  RRSIG   SOA 8 2 3600 20231116054903 20231108044903 7131 rfv.se. sH+jNUvWkt5jKxBIw43ng0O5bPVFlo05peFmesY4Qwb/IN1s2n68vwLrC8msSazLeoU4lDA/XYWEXJOVZDbWWt8MloyA+VukhvOeHEmDK4SaTPe319XMhRsUERN//+OplGsOV/TQg2xRqLu3qqHDil8vtZJ2GAyzb8qPulIfw0Xrg2v0kT0XrzWyFC1WnNOeavkceAZSwPYnljmNec2Eddbd3VV+Wy6sHIhltUUz0Z9jj704z6PJv2A/URHi4Iw8LdExJRGPKMk4YE56DJbDirdNFXMzOnUSZLtMjuv5fwT21PgkHH13fDy/Lr/zFW40HhHH18vXDWYz04Ja7nhs/w==

                 ;; ADDITIONAL SECTION:

                 ;; Query time: 85 msec
                 ;; EDNS: version 0; flags: do ; udp: 4096
                 ;; SERVER: 194.71.70.189
                 ;; WHEN: Wed Nov  8 11:14:23 2023
                 ;; MSG SIZE  rcvd: 2066

matsduf commented 1 year ago

@matsduf Oddly enough, although the error is still present, I can't seem to be able to reproduce the behavior from Zonemaster:

@tgreenx, I can also see that I do not get the error from Zonemaster anymore, but I also see that something has happened with rfv.se that might explain why. When I queried for the non-existing name under rfv.se -- which resulted in the error in Zonemaster -- I got the following lines before (excerpt from above):

;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 5265 ;; flags: qr aa tc; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1

But the similar riksforsakringsverket.se also gave malformed packet, but no error in Zonemaster (excerpt from above):

;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 38980 ;; flags: qr aa tc; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 1

The difference that I see is that the rfv.se packet had 6 non-exiting records in the authority section, but riksforsakringsverket.se only 3. And when I look at rfv.se today there are only 3:

; <<>> DiG 9.18.14 <<>> @194.71.70.189 xx--oplk4f3fgh9lksdfhu7h--xx.rfv.se A +dnssec +norec +ignore +noidnin +noidnout (...) ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 23713 ;; flags: qr aa tc; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 1

We need a tool that can create such a packet. I cannot see that it is possible with CoreDNS, but I have sent a question out.

zonemaster / zonemaster-engine