This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/dns-wg@ripe.net/
[dns-wg] RIPE NCC DNSSEC on the reverse tree update.
- Previous message (by thread): [dns-wg] RIPE NCC DNSSEC on the reverse tree update.
- Next message (by thread): [dns-wg] RIPE NCC DNSSEC on the reverse tree update.
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Alexander Gall
gall at switch.ch
Fri Nov 25 15:21:42 CET 2005
Brett, On Fri, 25 Nov 2005 14:41:34 +0100, "Brett Carr" <brettcarr at ripe.net> said: >> -----Original Message----- >> From: Alexander Gall [mailto:gall at switch.ch] >> Sent: 25 November 2005 11:48 >> To: Brett Carr >> Cc: dns-wg at ripe.net >> Subject: RE: [dns-wg] RIPE NCC DNSSEC on the reverse tree update. [...] >> >> However, I think there is a problem with ns.ripe.net. It >> doesn't return DNSSEC RRsets when the DO flag is set in the query: >> [...] > I found a small config typo, which I have fixed, it should be ok now though. Thanks, it looks good now. Did you have a chance to look (or have somebody else have a look :-) at <https://www.ripe.net/cgi-bin/delcheck/delcheck2.cgi> for the zone 176.195.in-addr.arpa? I can see two problems: - For some reason, the tool doesn't get replies to queries for NS and DNSKEY records at our name servers {merapi,scsnms}.switch.ch with the DO flag set. The tool then (erroneously) concludes that these RRsets are inconsistent among the servers for the zone. I see the queries coming in on our servers from 193.0.0.214. Could it be that the replies are filtered somwhere in your network (having strange flags and all that)? - It complains about the SEP Key (i.e. KSK) not being self-signed. I suppose this means that there is no RRSIG(DNSKEY) by the KSK. However, I'm pretty sure there are valid RRSIGs from both the ZSK and KSK. Regards, Alex
- Previous message (by thread): [dns-wg] RIPE NCC DNSSEC on the reverse tree update.
- Next message (by thread): [dns-wg] RIPE NCC DNSSEC on the reverse tree update.
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]