[Dnssec-deployment] H3C routers, NAT and NSEC3 problem ?

Mark Andrews marka at isc.org
Thu Oct 21 21:34:38 EDT 2010

In message <20101021161444.GD61771 at macbook.catpipe.net>, Phil Regnauld writes:
> Hi folks,
> Has anyone here heard of possible problems with H3C (http://www.h3c.com/)
> routers which block NSEC3 records ?  Just did a side-by-side comparison
> between two machines running dig from the BIND 9.7.2 dist. with the following
> queries:
> dig @e.ns.se ns eon.se +dnssec              # NSEC, works
> dig @s.nic.dk byferier.dk ns +dnssec        # NSEC3, dropped
> dig @f.ext.nic.fr nic.fr +dnssec            # NSEC3, dropped

Which could also just be responses > 512 bytes being dropped.
The last two are ~800 bytes.
> I'm about to setup an NSEC3 signed zone so I can see what's being returned
> and prove that the H3C box is dropping the NSEC3 answers.  Since it's a bit
> convoluted (I can't easily sniff the traffic on the outside interface of the
> router), I'd like to hear if anybody's heard of similar issues before I go
> ahead.
> Cheers,
> Phil
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the Dnssec-deployment mailing list