Mark Andrews wrote: > In message <87iq9ys512....@mid.deneb.enyo.de>, Florian Weimer writes: > >> * Stephane Bortzmeyer: >> >> >>> It is highly improbable that all these name servers are unreachable >>> from you. Therefore, I suspect that *content* is the issue. RIPE-NCC >>> zones are signed with DNSSEC. Are you sure you do not have a broken >>> middlebox which deletes DNSSEC-signed answers? >>> >> Ahem. dig's +trace doesn't use EDNS by default, so no signatures and >> (usually) no large responses. >> > > I actually suspect no IPv6 path rather than DNSSEC, add a -4 to force IPv4. >
And that is the solution! (and I upgraded the resolver on all the machines to 9.6.1-P1 before getting that far.) Thanks, Michelle
