This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/

[dns-wg] RIPE NCC DNSSEC on the reverse tree update.

Previous message (by thread): [dns-wg] RIPE NCC DNSSEC on the reverse tree update.
Next message (by thread): [dns-wg] RIPE NCC DNSSEC on the reverse tree update.

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Alexander Gall gall at switch.ch
Fri Nov 25 11:48:02 CET 2005

Brett,

On Fri, 25 Nov 2005 10:25:42 +0100, "Brett Carr" <brettcarr at ripe.net> said:

>> -----Original Message-----
>> From: Alexander Gall [mailto:gall at switch.ch] 
>> Sent: 25 November 2005 10:07
>> To: Brett Carr
>> Cc: dns-wg at ripe.net
>> Subject: RE: [dns-wg] RIPE NCC DNSSEC on the reverse tree update.

>> >> I tried to add add a ds-rdata attribute to 
>> 176.195.in-addr.arpa, but 
>> >> I
>> >> got:
>> >> 
>> >> ***Error: DS records are not accepted for this zone.
>> >> 
>> 
>> > Mmm thats odd, I'll look into it.
>> > Will get back to you.
>> 
>> Thanks.  Maybe I should add that I submitted the request 
>> yesterday at around 12:30, i.e. before you posted the 
>> announcement (precognition can be a pain ;-) Since I got the 
>> reply from the robot at midnight, I figured that this 
>> shouldn't have mattered, but maybe it did and the request was 
>> actually processed before the service was enabled?  In that 
>> case, I should probably just retry.
>> 

> Alex,
>     yes I should try it again if I were you. I was literally configuring it
> as I sent the e-mail to the dns-wg. Let me know if it doesnt work and I'll
> look into it.

I submitted another request and this one succeeded :-)

However, I think there is a problem with ns.ripe.net.  It doesn't
return DNSSEC RRsets when the DO flag is set in the query:

; <<>> DiG 9.4.0a2 <<>> @ns.ripe.net 176.195.in-addr.arpa. soa +dnssec +norec +noauth +noadd
; (2 servers found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 567
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;176.195.in-addr.arpa.          IN      SOA

;; ANSWER SECTION:
176.195.in-addr.arpa.   86400   IN      SOA     scsnms.switch.ch. hostmaster.switch.ch. 2005112409 28800 7200 604800 1800

;; Query time: 59 msec
;; SERVER: 2001:610:240:0:53::193#53(2001:610:240:0:53::193)
;; WHEN: Fri Nov 25 11:43:12 2005
;; MSG SIZE  rcvd: 172

This should include the RRSIG(SOA) record in the answer section, which
is actually there if you ask for it directly

; <<>> DiG 9.4.0a2 <<>> @ns.ripe.net 176.195.in-addr.arpa. rrsig +norec +noauth +noadd
; (2 servers found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 328
;; flags: qr aa; QUERY: 1, ANSWER: 5, AUTHORITY: 3, ADDITIONAL: 0

;; QUESTION SECTION:
;176.195.in-addr.arpa.          IN      RRSIG

;; ANSWER SECTION:
176.195.in-addr.arpa.   86400   IN      RRSIG   SOA 5 4 86400 20051208112546 20051124112546 1691 176.195.in-addr.arpa. HRGiKQmRLK4Y26jWLH7GQSVCJTRu0g2H12orAIQyhAszpOAJNDWG0BZc YkX+ung8S6kv3009VaJfO7DfXprbXaypVJ6RVug6XKDAgD7iU4/aEhCx btQ/yGRnKLzKU3D6psoGoY0TddDD+Em9yXKAHnAB+J77D1gyV5BAd3op A6Y=
176.195.in-addr.arpa.   86400   IN      RRSIG   NS 5 4 86400 20051208075925 20051124075925 1691 176.195.in-addr.arpa. noQW84vwzB2YSVOA/wCwDDya9os0PYtjkXOki6BuV44RzSI76L13t0zu aC3QA+5Ho9e09o+zCoU2t4Lt+FYMKIUjFE2lC+lDhGTdU1RWUfMQkcxp GIbeH769p4BFPtNesFetJO5GObAHns40aWVavd2ev4sAzu9tqrYks93O A7s=
176.195.in-addr.arpa.   1800    IN      RRSIG   NSEC 5 4 1800 20051207142856 20051123142856 1691 176.195.in-addr.arpa. v/qm+7NZ448b5ahe59QopUtUeQv2epIda67gmGEc0R8wDdUB4b+CRo29 Wjbe15NN8Awv3eFX9Vffc7OZe4X4bcirqVKBFdzgCzYtjxcWxrwb3Q1q 3Ddpqv/P4ep4jUvbhcOyGxE4xinLiP8Ht00uvi7uMQPgQPLe+yi76PBc 2Tg=
176.195.in-addr.arpa.   86400   IN      RRSIG   DNSKEY 5 4 86400 20051208112546 20051124112546 1691 176.195.in-addr.arpa. L7BegdxxrNKBdPQ6xhL2zDdDB4CyNq+E6hIIoA0wuIRXx3AEhchTvN+J whx0YcPAcagGPlcbxMk8rFWhLqAQOacV1CYLAGGbpd/NEa6SHou0zbKg ZxYVtBr0yzEWLyuDd2F9wLLzsGiy/i+AestM1hlzm/wxOn8cq/9Em+ag oNE=
176.195.in-addr.arpa.   86400   IN      RRSIG   DNSKEY 5 4 86400 20051208112546 20051124112546 36555 176.195.in-addr.arpa. qBfqrQHCjdW2PV7XaabuYimfkl8lVYGZvO5EvxFSlA1TSwGzlx3F9ZFi 7kMwmTYH1ANJM9ZpEGHPr9bxeQPYWnMCV5PpwzaynUxALY8t0s1P5KFO yWmzQrXusGK+mkj8YF3SzCcSh0GUIxgJsAHLy2VKJUI4WMNAmPXeuWug IjoTgu/heYi3vJvtq3Gh53M8pLHSmGfbeiFn7glKvL3Ypb4FxlWs/W97 57TNODdnXBUFDALyDf7OTW3Mh6rUhBYGCns4j/9NYlSHvkyTd/ipbSiQ JDVtu1JqS++IZkFQh3C/diWBn/OImjalYWIjqm4GLBWpHRaLQAn0p6UM dDng9A==

;; Query time: 53 msec
;; SERVER: 2001:610:240:0:53::193#53(2001:610:240:0:53::193)
;; WHEN: Fri Nov 25 11:46:02 2005
;; MSG SIZE  rcvd: 1142

It looks to me like DNSSEC isn't enabled on ns.ripe.net.  This also
causes all sorts of errors being flagged by the delegation checker
(<http://www.ripe.net/cgi-bin/delcheck/delcheck2.cgi>) that aren't
really there.  That tool seems to have some trouble with DO queries to
our name servers as well :-( You might want to have a look at this.

Actually, if this delegation checker is the one being used by the
robot that process the inverse delegation requests, I don't understand
why my request succeeded at all.

Regards,
Alex

Previous message (by thread): [dns-wg] RIPE NCC DNSSEC on the reverse tree update.
Next message (by thread): [dns-wg] RIPE NCC DNSSEC on the reverse tree update.

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[ dns-wg Archives ]