I don't think ARIN support of alg 13 is an issue. I run plenty of ARIN-delegated reverse domains with alg 13 and alg 14 that work fine.
I think the problem is that your RRSIGs are expired: ;; ANSWER SECTION: 25.96.192.in-addr.arpa. 172771 IN NS secdns2.posix.co.za. 25.96.192.in-addr.arpa. 172771 IN NS secdns1.posix.co.za. 25.96.192.in-addr.arpa. 172771 IN NS control.vweb.co.za. 25.96.192.in-addr.arpa. 86369 IN RRSIG NS 8 5 86400 *20191228210114* 20191128210114 65283 25.96.192.in-addr.arpa. C/kpJN0ZZW77w8GSrZ3aKiV3IIRnFZ2bRYTlN6gT/2seOA3YSDL/iwuv nkhSbR+PFtTjZM73hp9RFHt9XmutwVOE+fT6adX56ofCBS7YG463XiOA uDWarUkUUFf+ZyKXLbwqVRyNLXPJl0hgadNpEt4wfTUSn39ZUIq+a/9y d54= 25.96.192.in-addr.arpa. 86369 IN RRSIG NS 13 5 86400 *20191228210114* 20191128210114 10628 25.96.192.in-addr.arpa. 9ZSyvefs5uot0GnEbXj+A88bzFTfchgzrJmh0ZmGfCieTX6lyLdAjfBc rEq2VtFIxXAP8cHDUCr0fU+SRxqKew== (NOTE: emphasis added in the expired RRSIGs above) michael On 2020-03-05 10:31, Mark Elkins wrote: > Hi, > > Just joined the list and I've searched back 12 month and see no similar > topic. > > I've been DNSSEC Signing my domains for several years - probably as I > was teaching others how to do that. > This includes my Reverse DNS too. > I am in the AFRINIC Region. > I have some Legacy IPv4 address space - originally from ARIN. > 192.96.24.0 - 192.96.24.31 (and others) > > About six months ago - I started the process of changing everything from > Algorithm 8 (RSA/SHA-256) to Algorithm 13 (ECDSA Curve P-256 with > SHA-256). From my point of view, everything has been working completely > automatically - except for the Reverse DNS - where I have to go to > "my.afrinic.net" and manually update DS Records (there is no automation > for this at AFRINIC). > > Please look at 24.96.192.in-addr.arpa. and 25.96.192.in-addr.arpa. > 24 is no longer signed (because of this problem), 25 is signed (algo 13) > > The Parent for the legacy block 24.96.192.in-addr.arpa is > 192.in-addr.arpa - who's nameservers include z.arin.net. > > In that zone file - there is a DS record for 25.96.192.in-addr.arpa:- > > 25.96.192.in-addr.arpa. 86289 IN DS 36223 13 2 > 5DA9B9AC1C9D9C72434BEC68E9C5CF36A10FA480E6551CC9F2538745 4932E14E > (This is the correct DS record - you can ask for the CDS for this from > control.vweb.co.za) > > ...but asking a DNSSEC aware recursive resolver gives....SERVFAIL. > > dig @1.1.1.1 25.96.192.in-addr.arpa ns > > ; <<>> DiG 9.14.8 <<>> @1.1.1.1 25.96.192.in-addr.arpa ns > ; (1 server found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 39329 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > ... > > This worked perfectly with Algorithm 8, before I moved to Algorithm 13. > > *When will the DNS system at ARIN support Algorithm 13?* > > My IPv6 Reverse DNS signed with DNSSEC works perfectly with Algorithm 13. > > $ dig -x 2001:42a0::1 @1.1.1.1 +dnssec +multiline > ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 > 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.a.2.4.1.0.0.2.ip6.arpa. 7200 > IN PTR control.vweb.co.za. > 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.a.2.4.1.0.0.2.ip6.arpa. 7200 > IN RRSIG PTR 13 34 7200 (... > > > -- > > Mark James ELKINS - Posix Systems - (South) Africa > [email protected] Tel: +27.826010496 <tel:+27826010496> > For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za > > Posix SystemsVCARD for MJ Elkins > > > _______________________________________________ > arin-tech-discuss mailing list > [email protected] > https://lists.arin.net/mailman/listinfo/arin-tech-discuss > _______________________________________________ arin-tech-discuss mailing list [email protected] https://lists.arin.net/mailman/listinfo/arin-tech-discuss
