RE: [dns-wg] RIPE NCC DNSSEC on the reverse tree update.
-
To: "Brett Carr" <>
-
From: Alexander Gall <>
-
Date: Fri, 25 Nov 2005 15:21:42 +0100
Brett,
On Fri, 25 Nov 2005 14:41:34 +0100, "Brett Carr" brettcarr@localhost said:
>> -----Original Message-----
>> From: Alexander Gall [ ]
>> Sent: 25 November 2005 11:48
>> To: Brett Carr
>>> Subject: RE: [dns-wg] RIPE NCC DNSSEC on the reverse tree update.
[...]
>>
>> However, I think there is a problem with ns.ripe.net. It
>> doesn't return DNSSEC RRsets when the DO flag is set in the query:
>>
[...]
> I found a small config typo, which I have fixed, it should be ok now though.
Thanks, it looks good now.
Did you have a chance to look (or have somebody else have a look :-)
at <https://www.ripe.net/cgi-bin/delcheck/delcheck2.cgi> for the zone
176.195.in-addr.arpa? I can see two problems:
- For some reason, the tool doesn't get replies to queries for NS and
DNSKEY records at our name servers {merapi,scsnms}.switch.ch with
the DO flag set. The tool then (erroneously) concludes that these
RRsets are inconsistent among the servers for the zone.
I see the queries coming in on our servers from 193.0.0.214. Could
it be that the replies are filtered somwhere in your network (having
strange flags and all that)?
- It complains about the SEP Key (i.e. KSK) not being self-signed. I
suppose this means that there is no RRSIG(DNSKEY) by the KSK.
However, I'm pretty sure there are valid RRSIGs from both the ZSK
and KSK.
Regards,
Alex
|
you are here: RIPE -> RIPE Maillists > Archives
