[122493] in North American Network Operators' Group
Re: in-addr.arpa server problems for europe?
daemon@ATHENA.MIT.EDU (Florian Weimer)
Mon Feb 15 13:55:38 2010
From: Florian Weimer <fw@deneb.enyo.de>
To: Stephane Bortzmeyer <bortzmeyer@nic.fr>
Date: Mon, 15 Feb 2010 19:55:05 +0100
In-Reply-To: <20100215115813.GB26024@nic.fr> (Stephane Bortzmeyer's message of
"Mon, 15 Feb 2010 12:58:13 +0100")
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
* Stephane Bortzmeyer:
> It is highly improbable that all these name servers are unreachable
> from you. Therefore, I suspect that *content* is the issue. RIPE-NCC
> zones are signed with DNSSEC. Are you sure you do not have a broken
> middlebox which deletes DNSSEC-signed answers?
Ahem. dig's +trace doesn't use EDNS by default, so no signatures and
(usually) no large responses.
For extra realism, you need to add +dnssec +norecurse, and +all for
usefulness.
