[as112-ops] draft to include more IPv4 reverse zone delegations
Paul Vixie
vixie at isc.org
Fri May 13 18:41:45 UTC 2011
> From: Joe Abley <jabley at hopcount.ca>
> Date: Fri, 13 May 2011 11:32:38 -0400
>
> > apropos of authoritativeness, i think it's time to start planning for
> > dnssec signing of AS112 zones. this would mean using a signing key for
> > which the "usually secret" part was published.
>
> What is the value in signing with a public private key?
that depends. if in-addr.arpa and ip6.arpa will always be signed with NSEC3
and opt-out then there's no benefit. if we want the option of using NSEC or
using NSEC3 without opt-out then we'd need this.
there's also a subtle difference between proving authenticity and preventing
unintended leaks/pollution. a public signing key can help with the latter in
many cases that a completely unsigned zone will not help at all.
it's also a precedent setting cool hack, like AS112. just as unowned anycast
was proved viable, so public signing can be.
More information about the as112-ops
mailing list