Brett, What's going on with 195.in-addr.arpa? All DNSSEC records are gone, e.g. ; <<>> DiG 9.4.0a2 <<>> @193.0.0.195 195.in-addr.arpa. dnskey ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1037 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; WARNING: recusion requested but not available ;; QUESTION SECTION: ;195.in-addr.arpa. IN DNSKEY ;; AUTHORITY SECTION: 195.in-addr.arpa. 7200 IN SOA ns-pri.ripe.net. ops.ripe.net. 2005112722 43200 7200 1209600 7200 ;; Query time: 49 msec ;; SERVER: 193.0.0.195#53(193.0.0.195) ;; WHEN: Mon Nov 28 08:41:30 2005 ;; MSG SIZE rcvd: 89 The same happened to {193,194,212}.in-addr.arpa, but the other inverse zones are fine. -- Alex On Thu, 24 Nov 2005 14:13:29 +0100, "Brett Carr" <brettcarr@ripe.net> said:
Dear Colleagues, As part of the project to deploy DNSSEC in the RIPE NCC service region, the RIPE NCC has further expanded the signing of zones from the reverse tree.
The following zones are now signed:
ripe.net ripencc.com ripencc.net ripencc.org ripe-ncc.com ripe-ncc.net ripe-ncc.org 89.in-addr.arpa 90.in-addr.arpa 213.in-addr.arpa 213.in-addr.arpa. 193.in-addr.arpa. 195.in-addr.arpa. 212.in-addr.arpa. 194.in-addr.arpa. 145.in-addr.arpa.
If you want to configure your resolvers to verify these zones using DNSSEC, *key signing keys* for these zones are available at: https://www.ripe.net/projects/disi/keys/ripe-ncc-dnssec-keys.txt
For information about how to use the keys, and for further details about DNSSEC deployment at the RIPE NCC, please see: http://www.ripe.net/projects/disi/keys/
The following zones will now accept secure delegations (DS Records) via the addition of a "ds-rdata:" record in the whois domain object for the zone:
89.in-addr.arpa. 90.in-addr.arpa. 213.in-addr.arpa. 193.in-addr.arpa. 195.in-addr.arpa.
Regards
Brett Carr RIPE NCC