Brett, On Fri, 25 Nov 2005 14:41:34 +0100, "Brett Carr" <brettcarr@ripe.net> said:
-----Original Message----- From: Alexander Gall [mailto:gall@switch.ch] Sent: 25 November 2005 11:48 To: Brett Carr Cc: dns-wg@ripe.net Subject: RE: [dns-wg] RIPE NCC DNSSEC on the reverse tree update.
[...]
However, I think there is a problem with ns.ripe.net. It doesn't return DNSSEC RRsets when the DO flag is set in the query:
[...]
I found a small config typo, which I have fixed, it should be ok now though.
Thanks, it looks good now. Did you have a chance to look (or have somebody else have a look :-) at <https://www.ripe.net/cgi-bin/delcheck/delcheck2.cgi> for the zone 176.195.in-addr.arpa? I can see two problems: - For some reason, the tool doesn't get replies to queries for NS and DNSKEY records at our name servers {merapi,scsnms}.switch.ch with the DO flag set. The tool then (erroneously) concludes that these RRsets are inconsistent among the servers for the zone. I see the queries coming in on our servers from 193.0.0.214. Could it be that the replies are filtered somwhere in your network (having strange flags and all that)? - It complains about the SEP Key (i.e. KSK) not being self-signed. I suppose this means that there is no RRSIG(DNSKEY) by the KSK. However, I'm pretty sure there are valid RRSIGs from both the ZSK and KSK. Regards, Alex