-----Original Message----- From: Stephane Bortzmeyer [mailto:bortzmeyer@nic.fr] Sent: Monday, February 15, 2010 12:58 PM To: Michelle Sullivan Cc: NANOG list Subject: Re: in-addr.arpa server problems for europe?
On Mon, Feb 15, 2010 at 10:22:17AM +0100, Michelle Sullivan <matthew@sorbs.net> wrote a message of 185 lines which said:
213.in-addr.arpa. 86400 IN NS NS-PRI.RIPE.NET. 213.in-addr.arpa. 86400 IN NS NS3.NIC.FR. 213.in-addr.arpa. 86400 IN NS SUNIC.SUNET.SE. 213.in-addr.arpa. 86400 IN NS SNS-PB.ISC.ORG. 213.in-addr.arpa. 86400 IN NS SEC1.APNIC.NET. 213.in-addr.arpa. 86400 IN NS SEC3.APNIC.NET. 213.in-addr.arpa. 86400 IN NS TINNIE.ARIN.NET. ;; Received 224 bytes from 192.228.79.201#53(B.ROOT-SERVERS.NET) in 20011 ms
;; connection timed out; no servers could be reached
It is highly improbable that all these name servers are unreachable from you. Therefore, I suspect that *content* is the issue. RIPE-NCC zones are signed with DNSSEC. Are you sure you do not have a broken middlebox which deletes DNSSEC-signed answers?
(I tried from an US/Datotel/Level3 machine and everything works.)
Solution: stop using DNSSEC or checking for DNSSEC. If you think it is usefull: look for everything that could have an impact on it.