-----Original Message----- From: Alexander Gall [mailto:gall@switch.ch] Sent: 25 November 2005 11:48 To: Brett Carr Cc: dns-wg@ripe.net Subject: RE: [dns-wg] RIPE NCC DNSSEC on the reverse tree update.
Brett,
Alex, yes I should try it again if I were you. I was literally configuring it as I sent the e-mail to the dns-wg. Let me know if it doesnt work and I'll look into it.
I submitted another request and this one succeeded :-)
However, I think there is a problem with ns.ripe.net. It doesn't return DNSSEC RRsets when the DO flag is set in the query:
; <<>> DiG 9.4.0a2 <<>> @ns.ripe.net 176.195.in-addr.arpa. soa +dnssec +norec +noauth +noadd ; (2 servers found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 567 ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;176.195.in-addr.arpa. IN SOA
;; ANSWER SECTION: 176.195.in-addr.arpa. 86400 IN SOA scsnms.switch.ch. hostmaster.switch.ch. 2005112409 28800 7200 604800 1800
;; Query time: 59 msec ;; SERVER: 2001:610:240:0:53::193#53(2001:610:240:0:53::193) ;; WHEN: Fri Nov 25 11:43:12 2005 ;; MSG SIZE rcvd: 172
This should include the RRSIG(SOA) record in the answer section, which is actually there if you ask for it directly
Alex, I found a small config typo, which I have fixed, it should be ok now though. Thanks for the feedback. Brett.. -- Brett Carr RIPE Network Coordination Centre Systems Engineer -- Operations Group Amsterdam, Netherlands GPG Key fingerprint = F20D B2A7 C91D E370 44CF F244 B6A1 EF48 E743 F7D8