[dns-wg] RIPE NCC DNSSEC on the reverse tree update.

Brett,

On Fri, 25 Nov 2005 14:41:34 +0100, "Brett Carr" <brettcarr at ripe.net> said:

>> -----Original Message-----
>> From: Alexander Gall [mailto:gall at switch.ch] 
>> Sent: 25 November 2005 11:48
>> To: Brett Carr
>> Cc: dns-wg at ripe.net
>> Subject: RE: [dns-wg] RIPE NCC DNSSEC on the reverse tree update.

[...]

>> 
>> However, I think there is a problem with ns.ripe.net.  It 
>> doesn't return DNSSEC RRsets when the DO flag is set in the query:
>> 

[...]

> I found a small config typo, which I have fixed, it should be ok now though.

Thanks, it looks good now.  

Did you have a chance to look (or have somebody else have a look :-)
at <https://www.ripe.net/cgi-bin/delcheck/delcheck2.cgi> for the zone
176.195.in-addr.arpa?  I can see two problems:

- For some reason, the tool doesn't get replies to queries for NS and
  DNSKEY records at our name servers {merapi,scsnms}.switch.ch with
  the DO flag set.  The tool then (erroneously) concludes that these
  RRsets are inconsistent among the servers for the zone.

  I see the queries coming in on our servers from 193.0.0.214.  Could
  it be that the replies are filtered somwhere in your network (having
  strange flags and all that)?

- It complains about the SEP Key (i.e. KSK) not being self-signed.  I
  suppose this means that there is no RRSIG(DNSKEY) by the KSK.
  However, I'm pretty sure there are valid RRSIGs from both the ZSK
  and KSK.

Regards,
Alex