Alg 7 is ancient and deprecated...
When one has DNS issues, especially DNSSEC related, run dnsviz:
https://dnsviz.net/d/gkb.ch/ZDeung/dnssec/
as that will show you what is off:
``` • gkb.ch zone: The server(s) were not responsive to queries over UDP. (2001:67c:2350:11::bad:babe) • gkb.ch/A: No response was received from the server over UDP (tried 12 times). (2001:67c:2350:11::bad:babe, UDP_-_NOEDNS_) • gkb.ch/NS: No response was received from the server over UDP (tried 12 times). (2001:67c:2350:11::bad:babe, UDP_-_NOEDNS_) ```
``` • RRSIG gkb.ch/A alg 7, id 42122: DNSSEC specification recommends not signing with DNSSEC algorithm 7 (RSASHA1NSEC3SHA1). • RRSIG gkb.ch/A alg 7, id 52259: DNSSEC specification recommends not signing with DNSSEC algorithm 7 (RSASHA1NSEC3SHA1). • RRSIG gkb.ch/DNSKEY alg 7, id 18681: DNSSEC specification recommends not signing with DNSSEC algorithm 7 (RSASHA1NSEC3SHA1). • RRSIG gkb.ch/DNSKEY alg 7, id 18681: DNSSEC specification recommends not signing with DNSSEC algorithm 7 (RSASHA1NSEC3SHA1). • RRSIG gkb.ch/DNSKEY alg 7, id 18681: DNSSEC specification recommends not signing with DNSSEC algorithm 7 (RSASHA1NSEC3SHA1). • RRSIG gkb.ch/DNSKEY alg 7, id 42122: DNSSEC specification recommends not signing with DNSSEC algorithm 7 (RSASHA1NSEC3SHA1). • RRSIG gkb.ch/DNSKEY alg 7, id 52259: DNSSEC specification recommends not signing with DNSSEC algorithm 7 (RSASHA1NSEC3SHA1). • RRSIG gkb.ch/MX alg 7, id 42122: DNSSEC specification recommends not signing with DNSSEC algorithm 7 (RSASHA1NSEC3SHA1). • RRSIG gkb.ch/MX alg 7, id 52259: DNSSEC specification recommends not signing with DNSSEC algorithm 7 (RSASHA1NSEC3SHA1). • RRSIG gkb.ch/NS alg 7, id 42122: DNSSEC specification recommends not signing with DNSSEC algorithm 7 (RSASHA1NSEC3SHA1). • RRSIG gkb.ch/NS alg 7, id 52259: DNSSEC specification recommends not signing with DNSSEC algorithm 7 (RSASHA1NSEC3SHA1). • RRSIG gkb.ch/NSEC3PARAM alg 7, id 42122: DNSSEC specification recommends not signing with DNSSEC algorithm 7 (RSASHA1NSEC3SHA1). • RRSIG gkb.ch/NSEC3PARAM alg 7, id 52259: DNSSEC specification recommends not signing with DNSSEC algorithm 7 (RSASHA1NSEC3SHA1). • RRSIG gkb.ch/SOA alg 7, id 42122: DNSSEC specification recommends not signing with DNSSEC algorithm 7 (RSASHA1NSEC3SHA1). • RRSIG gkb.ch/SOA alg 7, id 52259: DNSSEC specification recommends not signing with DNSSEC algorithm 7 (RSASHA1NSEC3SHA1). • RRSIG gkb.ch/TXT alg 7, id 42122: DNSSEC specification recommends not signing with DNSSEC algorithm 7 (RSASHA1NSEC3SHA1). • RRSIG gkb.ch/TXT alg 7, id 52259: DNSSEC specification recommends not signing with DNSSEC algorithm 7 (RSASHA1NSEC3SHA1). ```
Greets, Jeroen