[dns-operations] TCP Revisited

Michael Graff mgraff at isc.org
Fri Jun 26 14:29:04 UTC 2009

While doing some DNSSEC things today, I found that one server in the 
e164.arpa zone behaved in a somewhat unfriendly way.  e164.arpa is a 
signed zone, and therefore all the DNS servers for that zone should be 
capable of serving DNSSEC data.

One server, e164-arpa.cnnic.net.cn with address, does not 
respond to queries with DO set nor does it respond to queries over TCP.

% dig @ e164.arpa. dnskey
     results in TC, failed TCP
% dig @ e164.arpa. dnskey +vc
     results in a timeout.
% dig @ e164.arpa. dnskey +dnssec
     times out.  tcpdump shows no response at all.

I have attempted to contact RIPE about this since they are the primary 
for this zone.


More information about the dns-operations mailing list