[dns-operations] The reverse for ::1 is signed as non-existant when it should be.
Chris Thompson
cet1 at cam.ac.uk
Fri Feb 17 12:09:17 UTC 2012
On Feb 17 2012, Mark Andrews wrote:
>As per RFC 6303 this answer should not be signed. See IANA
>Considerations. Please take steps to correct. This is breaking
>validating stub resolvers and validating nameservers that forward
>this request to a nameserver with default local zones configured.
Not to argue with this, but surely the same is true for 127.0.0.1?
That is, the in-addr.arpa zone securely denies the existence of
anything between 126.in-addr.arpa and 128.in-addr.arpa.
As in-addr.arpa and ip6.arpa use NSEC, without the possibility of
opt-out that NSEC3 offers, there need to be insecure delegations
to *something*. Are you proposing that the blackhole-*,iana.org
network take them on?
--
Chris Thompson University of Cambridge Computing Service,
Email: cet1 at ucs.cam.ac.uk New Museums Site, Cambridge CB2 3QH,
Phone: +44 1223 334715 United Kingdom.
More information about the dns-operations
mailing list