[dns-operations] The reverse for ::1 is signed as non-existant when it should be.
Mark Andrews
marka at isc.org
Fri Feb 17 14:16:28 UTC 2012
In message <Prayer.1.3.4.1202171209170.13545 at hermes-2.csi.cam.ac.uk>, Chris Tho
mpson writes:
> On Feb 17 2012, Mark Andrews wrote:
>
> >As per RFC 6303 this answer should not be signed. See IANA
> >Considerations. Please take steps to correct. This is breaking
> >validating stub resolvers and validating nameservers that forward
> >this request to a nameserver with default local zones configured.
>
> Not to argue with this, but surely the same is true for 127.0.0.1?
> That is, the in-addr.arpa zone securely denies the existence of
> anything between 126.in-addr.arpa and 128.in-addr.arpa.
I noticed the reverse for ::1 in my logs. I didn't go looking for
others. This should be enough of a headup for IANA to check all the
domains listed in RFC 6303.
> As in-addr.arpa and ip6.arpa use NSEC, without the possibility of
> opt-out that NSEC3 offers, there need to be insecure delegations
> to *something*. Are you proposing that the blackhole-*,iana.org
> network take them on?
Thats up to IANA/RIRs. A insecure delegation to the same servers as the
parent zone is sufficient to break the chain of trust.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations
mailing list