[as112-ops] draft to include more IPv4 reverse zone delegations

Paul Vixie vixie at isc.org
Fri May 13 18:41:45 UTC 2011


> From: Joe Abley <jabley at hopcount.ca>
> Date: Fri, 13 May 2011 11:32:38 -0400
> 
> > apropos of authoritativeness, i think it's time to start planning for
> > dnssec signing of AS112 zones.  this would mean using a signing key for
> > which the "usually secret" part was published.
> 
> What is the value in signing with a public private key?

that depends.  if in-addr.arpa and ip6.arpa will always be signed with NSEC3
and opt-out then there's no benefit.  if we want the option of using NSEC or
using NSEC3 without opt-out then we'd need this.

there's also a subtle difference between proving authenticity and preventing
unintended leaks/pollution.  a public signing key can help with the latter in
many cases that a completely unsigned zone will not help at all.

it's also a precedent setting cool hack, like AS112.  just as unowned anycast
was proved viable, so public signing can be.


More information about the as112-ops mailing list