* Stephane Bortzmeyer: > It is highly improbable that all these name servers are unreachable > from you. Therefore, I suspect that *content* is the issue. RIPE-NCC > zones are signed with DNSSEC. Are you sure you do not have a broken > middlebox which deletes DNSSEC-signed answers?
Ahem. dig's +trace doesn't use EDNS by default, so no signatures and (usually) no large responses. For extra realism, you need to add +dnssec +norecurse, and +all for usefulness.
