|
|
 |
RE: [dns-wg] RIPE NCC DNSSEC on the reverse tree update.
-
To: "'Alexander Gall'" <>
-
From: "Brett Carr" <>
-
Date: Tue, 29 Nov 2005 16:38:58 +0100
> -----Original Message-----
> From: Alexander Gall [ ]
> Sent: 25 November 2005 15:22
> To: Brett Carr
> Subject: RE: [dns-wg] RIPE NCC DNSSEC on the reverse tree update.
>
> Brett,
>
> On Fri, 25 Nov 2005 14:41:34 +0100, "Brett Carr"
> brettcarr@localhost said:
>
> >> -----Original Message-----
> >> From: Alexander Gall []
> >> Sent: 25 November 2005 11:48
> >> To: Brett Carr
> >> >> Subject: RE: [dns-wg] RIPE NCC DNSSEC on the reverse tree update.
>
> [...]
>
> >>
> >> However, I think there is a problem with ns.ripe.net. It doesn't
> >> return DNSSEC RRsets when the DO flag is set in the query:
> >>
>
> [...]
>
> > I found a small config typo, which I have fixed, it should
> be ok now though.
>
> Thanks, it looks good now.
>
> Did you have a chance to look (or have somebody else have a
> look :-) at
> <https://www.ripe.net/cgi-bin/delcheck/delcheck2.cgi> for the
> zone 176.195.in-addr.arpa? I can see two problems:
>
> - For some reason, the tool doesn't get replies to queries for NS and
> DNSKEY records at our name servers {merapi,scsnms}.switch.ch with
> the DO flag set. The tool then (erroneously) concludes that these
> RRsets are inconsistent among the servers for the zone.
>
> I see the queries coming in on our servers from 193.0.0.214. Could
> it be that the replies are filtered somwhere in your network (having
> strange flags and all that)?
We have now fixed this after finding some strange (udp fragment) filtering
behaviour on our Juniper router, We will be carrying out more (lab based)
tests on this and will report the results to Juniper.
Regards
Brett
--
Brett Carr RIPE Network Coordination Centre
Systems Engineer -- Operations Group Amsterdam, Netherlands
GPG Key fingerprint = F20D B2A7 C91D E370 44CF F244 B6A1 EF48 E743 F7D8
|
|
|
|
