[dns-operations] The reverse for ::1 is signed as non-existant when it should be.

Chris Thompson cet1 at cam.ac.uk
Fri Feb 17 12:09:17 UTC 2012

On Feb 17 2012, Mark Andrews wrote:

>As per RFC 6303 this answer should not be signed.  See IANA
>Considerations.  Please take steps to correct.  This is breaking
>validating stub resolvers and validating nameservers that forward
>this request to a nameserver with default local zones configured.

Not to argue with this, but surely the same is true for
That is, the in-addr.arpa zone securely denies the existence of
anything between 126.in-addr.arpa and 128.in-addr.arpa.

As in-addr.arpa and ip6.arpa use NSEC, without the possibility of
opt-out that NSEC3 offers, there need to be insecure delegations
to *something*. Are you proposing that the blackhole-*,iana.org
network take them on?

Chris Thompson               University of Cambridge Computing Service,
Email: cet1 at ucs.cam.ac.uk    New Museums Site, Cambridge CB2 3QH,
Phone: +44 1223 334715       United Kingdom.

More information about the dns-operations mailing list