[Dnssec-deployment] H3C routers, NAT and NSEC3 problem ?
marka at isc.org
Thu Oct 21 21:34:38 EDT 2010
In message <20101021161444.GD61771 at macbook.catpipe.net>, Phil Regnauld writes:
> Hi folks,
> Has anyone here heard of possible problems with H3C (http://www.h3c.com/)
> routers which block NSEC3 records ? Just did a side-by-side comparison
> between two machines running dig from the BIND 9.7.2 dist. with the following
> dig @e.ns.se ns eon.se +dnssec # NSEC, works
> dig @s.nic.dk byferier.dk ns +dnssec # NSEC3, dropped
> dig @f.ext.nic.fr nic.fr +dnssec # NSEC3, dropped
Which could also just be responses > 512 bytes being dropped.
The last two are ~800 bytes.
> I'm about to setup an NSEC3 signed zone so I can see what's being returned
> and prove that the H3C box is dropping the NSEC3 answers. Since it's a bit
> convoluted (I can't easily sniff the traffic on the outside interface of the
> router), I'd like to hear if anybody's heard of similar issues before I go
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the Dnssec-deployment