Hi Peter Peter Thomassen via knot-dns-users <[email protected]> wrote: > On 4/13/25 22:17, Michael Grimm via knot-dns-users wrote:
>> Oh, that list includes RIPE NCC [1]. Does that mean: it is possible to >> bootstrap DNSSEC for my ip6.arpa zone? > [...] >> [1] >> https://docs.db.ripe.net/Database-Support/Configuring-Reverse-DNS/#automated-update-of-dnssec-delegations > > The way I read their docs is that they only use RFC 7344, which means you can > use CDS/CDNSKEY records in your zone to *update* your pre-existing DS records. > > For configuring DS records for the first time ("bootstrap"), they would need > to support RFC 8078 and/or RFC 9615, but apparently they don't do that (yet?). > > All of this of course only applies if your zone is delegated directly from a > parent zone run by RIPE. If it's delegated from an intermediate zone run by > someone else, you'll have to ask that operator. Thanks for your feedback. Then it seems, that I do have to stick with an unsecured ip6.arpa zone, because OVH doesn't support that for the time being. Even their own ip6.arpa zone isn't secured [1], if I am not mistaken. Thanks again and regards, Michael [1] https://dnsviz.net/d/0.d.1.4.1.0.0.2.ip6.arpa/dnssec/ --
