Ted, On Aug 21, 2008, at 4:48 PM, Ted Lemon wrote:
It looks like it's sort of half-signed - if I query the right authoritative server, I do get a signed response, but most of the servers authoritative for ip6.arpa do not respond with signed responses.
Err, no. It isn't signed, at least officially. If you query ns.iana.org (which isn't one of the official name servers for ip6.arpa), you'll get back a signed response because it is part of the DNSSEC testbed IANA has deployed (see https://ns.iana.org/dnssec/status.html) . However, if you query any of the official name servers, you shouldn't get back a signed response. If you are getting a signed response, please let me know as something would be horribly wrong.
Since not everybody responds that way, it's effectively not signed. How come? There's no giant user base whose ox will be gored here. It seems like a no-brainer.
Quite some time ago, the IAB asked IANA to sign .ARPA and the children of ARPA IANA had responsibility for. IANA developed a set of tools to help facilitate this and have been running a testbed for more than a year now. Unfortunately, signing .ARPA and its children got tangled up in layer 9 stuff. In Dublin, there was some agreement on how to move forward and I expect/hope there to be progress in the near future (but of course, nothing in layer 9 is ever guaranteed).
Regards, -drc _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
