Brett, On Fri, 25 Nov 2005 10:25:42 +0100, "Brett Carr" <brettcarr@ripe.net> said:
-----Original Message----- From: Alexander Gall [mailto:gall@switch.ch] Sent: 25 November 2005 10:07 To: Brett Carr Cc: dns-wg@ripe.net Subject: RE: [dns-wg] RIPE NCC DNSSEC on the reverse tree update.
I tried to add add a ds-rdata attribute to 176.195.in-addr.arpa, but I got:
***Error: DS records are not accepted for this zone.
Mmm thats odd, I'll look into it. Will get back to you.
Thanks. Maybe I should add that I submitted the request yesterday at around 12:30, i.e. before you posted the announcement (precognition can be a pain ;-) Since I got the reply from the robot at midnight, I figured that this shouldn't have mattered, but maybe it did and the request was actually processed before the service was enabled? In that case, I should probably just retry.
Alex, yes I should try it again if I were you. I was literally configuring it as I sent the e-mail to the dns-wg. Let me know if it doesnt work and I'll look into it.
I submitted another request and this one succeeded :-) However, I think there is a problem with ns.ripe.net. It doesn't return DNSSEC RRsets when the DO flag is set in the query: ; <<>> DiG 9.4.0a2 <<>> @ns.ripe.net 176.195.in-addr.arpa. soa +dnssec +norec +noauth +noadd ; (2 servers found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 567 ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;176.195.in-addr.arpa. IN SOA ;; ANSWER SECTION: 176.195.in-addr.arpa. 86400 IN SOA scsnms.switch.ch. hostmaster.switch.ch. 2005112409 28800 7200 604800 1800 ;; Query time: 59 msec ;; SERVER: 2001:610:240:0:53::193#53(2001:610:240:0:53::193) ;; WHEN: Fri Nov 25 11:43:12 2005 ;; MSG SIZE rcvd: 172 This should include the RRSIG(SOA) record in the answer section, which is actually there if you ask for it directly ; <<>> DiG 9.4.0a2 <<>> @ns.ripe.net 176.195.in-addr.arpa. rrsig +norec +noauth +noadd ; (2 servers found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 328 ;; flags: qr aa; QUERY: 1, ANSWER: 5, AUTHORITY: 3, ADDITIONAL: 0 ;; QUESTION SECTION: ;176.195.in-addr.arpa. IN RRSIG ;; ANSWER SECTION: 176.195.in-addr.arpa. 86400 IN RRSIG SOA 5 4 86400 20051208112546 20051124112546 1691 176.195.in-addr.arpa. HRGiKQmRLK4Y26jWLH7GQSVCJTRu0g2H12orAIQyhAszpOAJNDWG0BZc YkX+ung8S6kv3009VaJfO7DfXprbXaypVJ6RVug6XKDAgD7iU4/aEhCx btQ/yGRnKLzKU3D6psoGoY0TddDD+Em9yXKAHnAB+J77D1gyV5BAd3op A6Y= 176.195.in-addr.arpa. 86400 IN RRSIG NS 5 4 86400 20051208075925 20051124075925 1691 176.195.in-addr.arpa. noQW84vwzB2YSVOA/wCwDDya9os0PYtjkXOki6BuV44RzSI76L13t0zu aC3QA+5Ho9e09o+zCoU2t4Lt+FYMKIUjFE2lC+lDhGTdU1RWUfMQkcxp GIbeH769p4BFPtNesFetJO5GObAHns40aWVavd2ev4sAzu9tqrYks93O A7s= 176.195.in-addr.arpa. 1800 IN RRSIG NSEC 5 4 1800 20051207142856 20051123142856 1691 176.195.in-addr.arpa. v/qm+7NZ448b5ahe59QopUtUeQv2epIda67gmGEc0R8wDdUB4b+CRo29 Wjbe15NN8Awv3eFX9Vffc7OZe4X4bcirqVKBFdzgCzYtjxcWxrwb3Q1q 3Ddpqv/P4ep4jUvbhcOyGxE4xinLiP8Ht00uvi7uMQPgQPLe+yi76PBc 2Tg= 176.195.in-addr.arpa. 86400 IN RRSIG DNSKEY 5 4 86400 20051208112546 20051124112546 1691 176.195.in-addr.arpa. L7BegdxxrNKBdPQ6xhL2zDdDB4CyNq+E6hIIoA0wuIRXx3AEhchTvN+J whx0YcPAcagGPlcbxMk8rFWhLqAQOacV1CYLAGGbpd/NEa6SHou0zbKg ZxYVtBr0yzEWLyuDd2F9wLLzsGiy/i+AestM1hlzm/wxOn8cq/9Em+ag oNE= 176.195.in-addr.arpa. 86400 IN RRSIG DNSKEY 5 4 86400 20051208112546 20051124112546 36555 176.195.in-addr.arpa. qBfqrQHCjdW2PV7XaabuYimfkl8lVYGZvO5EvxFSlA1TSwGzlx3F9ZFi 7kMwmTYH1ANJM9ZpEGHPr9bxeQPYWnMCV5PpwzaynUxALY8t0s1P5KFO yWmzQrXusGK+mkj8YF3SzCcSh0GUIxgJsAHLy2VKJUI4WMNAmPXeuWug IjoTgu/heYi3vJvtq3Gh53M8pLHSmGfbeiFn7glKvL3Ypb4FxlWs/W97 57TNODdnXBUFDALyDf7OTW3Mh6rUhBYGCns4j/9NYlSHvkyTd/ipbSiQ JDVtu1JqS++IZkFQh3C/diWBn/OImjalYWIjqm4GLBWpHRaLQAn0p6UM dDng9A== ;; Query time: 53 msec ;; SERVER: 2001:610:240:0:53::193#53(2001:610:240:0:53::193) ;; WHEN: Fri Nov 25 11:46:02 2005 ;; MSG SIZE rcvd: 1142 It looks to me like DNSSEC isn't enabled on ns.ripe.net. This also causes all sorts of errors being flagged by the delegation checker (<http://www.ripe.net/cgi-bin/delcheck/delcheck2.cgi>) that aren't really there. That tool seems to have some trouble with DO queries to our name servers as well :-( You might want to have a look at this. Actually, if this delegation checker is the one being used by the robot that process the inverse delegation requests, I don't understand why my request succeeded at all. Regards, Alex