Hi,
it seems my omnia cannot resolve the domain auth.app.wiz.io with DNSSEC enabled. It doesn’t matter which forwarder I use (I regularly use the cz.nic forwarder but I have tried the others too). Online dnssec validators/resolvers are fine (except it is a cname pointing to an unsecured domain) with it so I suspect it is some kind of kresd issue.
They are serving inconsistent DNSSEC records. Snippets from your log:
Feb 18 13:14:26 omnia kresd[10300]: app.wiz.io. 300 DS 62788 13 2 49617F9A01B6DC10155BEEBFAEF6B83AF5A21B64A90111F713F44ED5C2396015
Feb 18 13:14:26 omnia kresd[10300]: app.wiz.io. 300 RRSIG DS 13 3 300 20250218141926 20250218121426 60330 wiz.io. YcfGY+6EuyQjInyqIM4OYtZIBA+3mqFdl1fKJkWpyk8/eC46fZ5Azs7XR/ZBsWGeoGq0yhl83AHmy7oEpQQKpQ==
so a DS record gets presented on the name but apparently they do not want a zone cut in there, so the validator is unable to extend the DNSSEC trust chain below that point:
Feb 18 13:14:26 omnia kresd[10300]: app.wiz.io. 86400 NSEC \000.app.wiz.io. A PTR HINFO MX TXT RP AAAA SRV NAPTR SSHFP RRSIG NSEC TLSA SVCB HTTPS SPF CAA
Feb 18 13:14:26 omnia kresd[10300]: app.wiz.io. 86400 RRSIG NSEC 13 3 86400 20250219141426 20250218121426 60330 wiz.io. 0ILVf+TZ+mqdg4Oc7qwHKPvoMRRWTCHFz21/Aa8UdIFljQ77u7+b0sPH5ny5JZuJ1heBqN0rrzNkGKqMd5u+Hw==
(BTW, this record denies existence of the previously sent record, too.)
While in my testing the validator did not get into this “loop” and it just resolved, honestly I don’t really care if it fails after getting sent this kind of mess. I’m sorry. I’d spend most of my time working around similar nonsense.
I expect this particular situation would be also avoided if you configured without any forwarding.