On 02/10/14 18:05, Mark Andrews wrote: > > In message > <camclrkgpqt+klgfhh+9yztjhke+-9uy9_d9vgejefjbbefb...@mail.gmail.com> > , Mark Boolootian writes: >> I'm interested in knowing if it is standard practice amongst folks to >> sign .arpa zones. Is there a compelling use case for signing reverse >> zones? > > All zones should be signed. For structured zones like these NSEC3 > is pointless. With a signed reverse zone can be leveraged to provide > cryptographic secure communication to a ip. > >> Thoughts appreciated, >> mark
I vaguely recall being asked about signing our reverse zones, in connection with exploration in some sort of extended use of DNSSEC...though I can't recall what that was. I recall discussion of doing SSL without using a known CA as something that can be done, perhaps there was something about SSH that could be done with reverse DNS? Anyways....I couldn't do it, we've lost control of our ARIN record. ARIN only allows named individual contacts to manage the information...not role contacts. Our netblock lists 3 role contacts, DNS, Networking and Abuse. And, one individual who hasn't worked here in years (> 16?). When all the contacts for our netblock get abuse notifications....I kept getting asked why is somebody who hasn't been here for a long time still a contact. Well you do a whois on our IP space and he's listed. They go off to try to remove him... And, then the next time we get emails...he's still included, and I get asked again and things repeat.... Never understood why they didn't actually do what they said they would. Until I went to see about doing doing signing of our reverse.... Of course, I have two /24's that I've also lost control of. Even though I'm the remaining named contact for the net blocks, they are linked to organizations that have long ago ceased to exist. But, the require that I prove the organization's existence before I can disassociate the blocks from them. And, in one case to release a /24. I does make me wonder sometimes, how much IPv4 space is assigned that is available but due to ARIN's policies are lost.... Guess nobody knew that when you dissolve a company/organization that they should release their IP space. Unlike their domain name, which was immediately snapped for obscene purposes when it expired. Because of that, there are a few domains that I've been renewing on my own...though some TLDs have gotten more expensive, so I'll probably let a couple of them expire soon. -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator For: Enterprise Server Technologies (EST) -- & SafeZone Ally _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
