RIPE Community Mail Archives

you are here: RIPE -> RIPE Maillists > Archives

	About RIPE Maillists
	Maillists Archive
	Global Lists
	Non Active Lists

<<< Chronological >>>

Author Index Subject Index

<<< Threads >>>

RE: [dns-wg] RIPE NCC DNSSEC on the reverse tree update.

To: "Brett Carr" <

>
From: Alexander Gall <

>
Date: Fri, 25 Nov 2005 11:48:02 +0100

Brett,

On Fri, 25 Nov 2005 10:25:42 +0100, "Brett Carr" brettcarr@localhost said:

>> -----Original Message-----
>> From: Alexander Gall [	    
	    
] 
>> Sent: 25 November 2005 10:07
>> To: Brett Carr
>>> Subject: RE: [dns-wg] RIPE NCC DNSSEC on the reverse tree update.

>> >> I tried to add add a ds-rdata attribute to 
>> 176.195.in-addr.arpa, but 
>> >> I
>> >> got:
>> >> 
>> >> ***Error: DS records are not accepted for this zone.
>> >> 
>> 
>> > Mmm thats odd, I'll look into it.
>> > Will get back to you.
>> 
>> Thanks.  Maybe I should add that I submitted the request 
>> yesterday at around 12:30, i.e. before you posted the 
>> announcement (precognition can be a pain ;-) Since I got the 
>> reply from the robot at midnight, I figured that this 
>> shouldn't have mattered, but maybe it did and the request was 
>> actually processed before the service was enabled?  In that 
>> case, I should probably just retry.
>> 

> Alex,
>     yes I should try it again if I were you. I was literally configuring it
> as I sent the e-mail to the dns-wg. Let me know if it doesnt work and I'll
> look into it.

I submitted another request and this one succeeded :-)

However, I think there is a problem with ns.ripe.net.  It doesn't
return DNSSEC RRsets when the DO flag is set in the query:

; <<>> DiG 9.4.0a2 <<>> @ns.ripe.net 176.195.in-addr.arpa. soa +dnssec +norec +noauth +noadd
; (2 servers found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 567
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;176.195.in-addr.arpa.          IN      SOA

;; ANSWER SECTION:
176.195.in-addr.arpa.   86400   IN      SOA     scsnms.switch.ch. hostmaster.switch.ch. 2005112409 28800 7200 604800 1800

;; Query time: 59 msec
;; SERVER: 2001:610:240:0:53::193#53(2001:610:240:0:53::193)
;; WHEN: Fri Nov 25 11:43:12 2005
;; MSG SIZE  rcvd: 172

This should include the RRSIG(SOA) record in the answer section, which
is actually there if you ask for it directly

; <<>> DiG 9.4.0a2 <<>> @ns.ripe.net 176.195.in-addr.arpa. rrsig +norec +noauth +noadd
; (2 servers found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 328
;; flags: qr aa; QUERY: 1, ANSWER: 5, AUTHORITY: 3, ADDITIONAL: 0

;; QUESTION SECTION:
;176.195.in-addr.arpa.          IN      RRSIG

;; ANSWER SECTION:
176.195.in-addr.arpa.   86400   IN      RRSIG   SOA 5 4 86400 20051208112546 20051124112546 1691 176.195.in-addr.arpa. HRGiKQmRLK4Y26jWLH7GQSVCJTRu0g2H12orAIQyhAszpOAJNDWG0BZc YkX+ung8S6kv3009VaJfO7DfXprbXaypVJ6RVug6XKDAgD7iU4/aEhCx btQ/yGRnKLzKU3D6psoGoY0TddDD+Em9yXKAHnAB+J77D1gyV5BAd3op A6Y=
176.195.in-addr.arpa.   86400   IN      RRSIG   NS 5 4 86400 20051208075925 20051124075925 1691 176.195.in-addr.arpa. noQW84vwzB2YSVOA/wCwDDya9os0PYtjkXOki6BuV44RzSI76L13t0zu aC3QA+5Ho9e09o+zCoU2t4Lt+FYMKIUjFE2lC+lDhGTdU1RWUfMQkcxp GIbeH769p4BFPtNesFetJO5GObAHns40aWVavd2ev4sAzu9tqrYks93O A7s=
176.195.in-addr.arpa.   1800    IN      RRSIG   NSEC 5 4 1800 20051207142856 20051123142856 1691 176.195.in-addr.arpa. v/qm+7NZ448b5ahe59QopUtUeQv2epIda67gmGEc0R8wDdUB4b+CRo29 Wjbe15NN8Awv3eFX9Vffc7OZe4X4bcirqVKBFdzgCzYtjxcWxrwb3Q1q 3Ddpqv/P4ep4jUvbhcOyGxE4xinLiP8Ht00uvi7uMQPgQPLe+yi76PBc 2Tg=
176.195.in-addr.arpa.   86400   IN      RRSIG   DNSKEY 5 4 86400 20051208112546 20051124112546 1691 176.195.in-addr.arpa. L7BegdxxrNKBdPQ6xhL2zDdDB4CyNq+E6hIIoA0wuIRXx3AEhchTvN+J whx0YcPAcagGPlcbxMk8rFWhLqAQOacV1CYLAGGbpd/NEa6SHou0zbKg ZxYVtBr0yzEWLyuDd2F9wLLzsGiy/i+AestM1hlzm/wxOn8cq/9Em+ag oNE=
176.195.in-addr.arpa.   86400   IN      RRSIG   DNSKEY 5 4 86400 20051208112546 20051124112546 36555 176.195.in-addr.arpa. qBfqrQHCjdW2PV7XaabuYimfkl8lVYGZvO5EvxFSlA1TSwGzlx3F9ZFi 7kMwmTYH1ANJM9ZpEGHPr9bxeQPYWnMCV5PpwzaynUxALY8t0s1P5KFO yWmzQrXusGK+mkj8YF3SzCcSh0GUIxgJsAHLy2VKJUI4WMNAmPXeuWug IjoTgu/heYi3vJvtq3Gh53M8pLHSmGfbeiFn7glKvL3Ypb4FxlWs/W97 57TNODdnXBUFDALyDf7OTW3Mh6rUhBYGCns4j/9NYlSHvkyTd/ipbSiQ JDVtu1JqS++IZkFQh3C/diWBn/OImjalYWIjqm4GLBWpHRaLQAn0p6UM dDng9A==

;; Query time: 53 msec
;; SERVER: 2001:610:240:0:53::193#53(2001:610:240:0:53::193)
;; WHEN: Fri Nov 25 11:46:02 2005
;; MSG SIZE  rcvd: 1142

It looks to me like DNSSEC isn't enabled on ns.ripe.net.  This also
causes all sorts of errors being flagged by the delegation checker
(<http://www.ripe.net/cgi-bin/delcheck/delcheck2.cgi>) that aren't
really there.  That tool seems to have some trouble with DO queries to
our name servers as well :-( You might want to have a look at this.

Actually, if this delegation checker is the one being used by the
robot that process the inverse delegation requests, I don't understand
why my request succeeded at all.

Regards,
Alex

RE: [dns-wg] RIPE NCC DNSSEC on the reverse tree update.
- From: Brett Carr

RE: [dns-wg] RIPE NCC DNSSEC on the reverse tree update.
- From: Alexander Gall
RE: [dns-wg] RIPE NCC DNSSEC on the reverse tree update.
- From: Brett Carr

<<< Chronological >>>

Author Subject

<<< Threads >>>


	About RIPE \| Site Map \| LIR Portal \| About the RIPE NCC \| Contact \| © RIPE Community. All rights reserved.