16 Feb
2010
16 Feb
'10
2:16 a.m.
Mark Andrews wrote:
In message <87iq9ys512.fsf@mid.deneb.enyo.de>, Florian Weimer writes:
* Stephane Bortzmeyer:
It is highly improbable that all these name servers are unreachable from you. Therefore, I suspect that *content* is the issue. RIPE-NCC zones are signed with DNSSEC. Are you sure you do not have a broken middlebox which deletes DNSSEC-signed answers?
Ahem. dig's +trace doesn't use EDNS by default, so no signatures and (usually) no large responses.
I actually suspect no IPv6 path rather than DNSSEC, add a -4 to force IPv4.
And that is the solution! (and I upgraded the resolver on all the machines to 9.6.1-P1 before getting that far.) Thanks, Michelle