[dns-operations] Signing of the ARPA zone

Joe Abley jabley at hopcount.ca
Fri Mar 26 18:39:49 UTC 2010


On 2010-03-26, at 10:55, Simon Leinen wrote:

> And if so, could this have been prevented by the phase-in procedure of
> DNSSEC for .ARPA? (And if so, how?)

I heard no reports of anything breaking as a direct consequence of ARPA being signed.

I *have* heard some reports of disruptions when people added the trust anchor for ARPA to their validator automatically, which were resolved by manual operator intervention.

I think the distinction is important, because the implications of the former are that we need to put the brakes on DNSSEC deployment in TLDs and perhaps the root, something that I don't think anybody wants to happen unnecessarily.

So, to be clear: you are saying that you have identified an operational problem when you add a trust anchor, right?


Joe


More information about the dns-operations mailing list