In message <87iq9ys512.fsf@mid.deneb.enyo.de>, Florian Weimer writes:
* Stephane Bortzmeyer:
It is highly improbable that all these name servers are unreachable from you. Therefore, I suspect that *content* is the issue. RIPE-NCC zones are signed with DNSSEC. Are you sure you do not have a broken middlebox which deletes DNSSEC-signed answers?
Ahem. dig's +trace doesn't use EDNS by default, so no signatures and (usually) no large responses.
I actually suspect no IPv6 path rather than DNSSEC, add a -4 to force IPv4. drugs# foreach h ( SUNIC.SUNET.SE TINNIE.ARIN.NET NS-PRI.RIPE.NET NS3.NIC.FR SEC3.APNIC.NET SEC1.APNIC.NET SNS-PB.ISC.ORG ) foreach? echo $h `dig +short $h aaaa` foreach? end SUNIC.SUNET.SE 2001:6b0:7::2 TINNIE.ARIN.NET 2001:500:13::c7d4:35 NS-PRI.RIPE.NET 2001:610:240:0:53::3 NS3.NIC.FR 2001:660:3006:1::1:1 SEC3.APNIC.NET 2001:dc0:1:0:4777::140 SEC1.APNIC.NET 2001:dc0:2001:a:4608::59 SNS-PB.ISC.ORG 2001:500:2e::1 drugs# Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org