[dns-wg] RIPE NCC DNSSEC on the reverse tree update.
- Previous message (by thread): [dns-wg] RIPE NCC DNSSEC on the reverse tree update.
- Next message (by thread): [dns-wg] RIPE NCC DNSSEC on the reverse tree update.
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Alexander Gall
gall at switch.ch
Fri Nov 25 15:21:42 CET 2005
Brett, On Fri, 25 Nov 2005 14:41:34 +0100, "Brett Carr" <brettcarr at ripe.net> said: >> -----Original Message----- >> From: Alexander Gall [mailto:gall at switch.ch] >> Sent: 25 November 2005 11:48 >> To: Brett Carr >> Cc: dns-wg at ripe.net >> Subject: RE: [dns-wg] RIPE NCC DNSSEC on the reverse tree update. [...] >> >> However, I think there is a problem with ns.ripe.net. It >> doesn't return DNSSEC RRsets when the DO flag is set in the query: >> [...] > I found a small config typo, which I have fixed, it should be ok now though. Thanks, it looks good now. Did you have a chance to look (or have somebody else have a look :-) at <https://www.ripe.net/cgi-bin/delcheck/delcheck2.cgi> for the zone 176.195.in-addr.arpa? I can see two problems: - For some reason, the tool doesn't get replies to queries for NS and DNSKEY records at our name servers {merapi,scsnms}.switch.ch with the DO flag set. The tool then (erroneously) concludes that these RRsets are inconsistent among the servers for the zone. I see the queries coming in on our servers from 193.0.0.214. Could it be that the replies are filtered somwhere in your network (having strange flags and all that)? - It complains about the SEP Key (i.e. KSK) not being self-signed. I suppose this means that there is no RRSIG(DNSKEY) by the KSK. However, I'm pretty sure there are valid RRSIGs from both the ZSK and KSK. Regards, Alex
- Previous message (by thread): [dns-wg] RIPE NCC DNSSEC on the reverse tree update.
- Next message (by thread): [dns-wg] RIPE NCC DNSSEC on the reverse tree update.
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]