[dns-operations] Signing of the ARPA zone

Olafur Gudmundsson ogud at ogud.com
Mon Mar 22 06:16:18 UTC 2010


On 21/03/2010 9:06 PM, David Conrad wrote:
> On Mar 21, 2010, at 5:39 PM, Doug Barton wrote:
>> I know that historically not all of the roots have served the ARPA zone,
>> but I'm wondering if it wouldn't make sense to make them all consistent
>> at this point.
>
> Personally speaking, I believe the ARPA zone should be consistently not be on any of the root servers.  See RFC 2870 section 2.5.
>
> Regards,
> -drc
>
>

Some people argue that it is a bad idea to serve parent and
child DNSSEC signed zone from the same server.
As it is more work for a validating resolver to get all the
information it needs than when the server set is disjoint.
I.e. it will not learn the DS through the normal resolution process,
but needs to issue an explicit DS question.
see: 
http://sel.icann.org/bitcache/8dbb200871a9093fc4e9de51c349086664d53d49?vid=7554&disposition=attachment&op=download

	Olafur



More information about the dns-operations mailing list