On Feb 10 2014, Mark Boolootian wrote:
I'm interested in knowing if it is standard practice amongst folks to sign .arpa zones. Is there a compelling use case for signing reverse zones?
We sign our (public) reverse zones. So if it isn't standard practice, it ought to be :-) The RIRs invested substantial effort to sign the high-level reverse zones for which they are responsible, and adding support for including DS records for their clients, feeding them to each other in cases when more than one RIR is involved. It would be a pity not to take advantage of that. Of course, not all registrars think that way. It's a matter of increasing annoyance to me that although we have DNSSEC chains of trust from the root for our ERX reverse zones (e.g. 111.131.in-addr.arpa), we don't for reverse zones acquired later (e.g. 95.60.193.in-addr.arpa) - including for all our IPv6 address space - because JANET have still not got around to signing the intermediate zones between us and RIPE-NCC. It's the main reason we can't abandon DLV yet. -- Chris Thompson University of Cambridge Computing Service, Email: [email protected] Roger Needham Building, 7 JJ Thomson Avenue, Phone: +44 1223 334715 Cambridge CB3 0RB, United Kingdom. _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
