[dns-operations] TCP Revisited

Anand Buddhdev anandb at ripe.net
Mon Jun 29 12:33:07 UTC 2009

On 26/6/09 16:29, Michael Graff wrote:

> While doing some DNSSEC things today, I found that one server in the
> e164.arpa zone behaved in a somewhat unfriendly way.  e164.arpa is a
> signed zone, and therefore all the DNS servers for that zone should be
> capable of serving DNSSEC data.
> One server, e164-arpa.cnnic.net.cn with address, does not
> respond to queries with DO set nor does it respond to queries over TCP.
> % dig @ e164.arpa. dnskey
>     results in TC, failed TCP
> % dig @ e164.arpa. dnskey +vc
>     results in a timeout.
> % dig @ e164.arpa. dnskey +dnssec
>     times out.  tcpdump shows no response at all.
> I have attempted to contact RIPE about this since they are the primary
> for this zone.

This issue has now been resolved. It turns out that TCP/53 had been blocked. It
is now open again, and the server answers queries over TCP.

Anand Buddhdev
DNS Services Manager, RIPE NCC

More information about the dns-operations mailing list