[dns-operations] The reverse for ::1 is signed as non-existant when it should be.

Mark Andrews marka at isc.org
Fri Feb 17 14:16:28 UTC 2012

In message <Prayer. at hermes-2.csi.cam.ac.uk>, Chris Tho
mpson writes:
> On Feb 17 2012, Mark Andrews wrote:
> >As per RFC 6303 this answer should not be signed.  See IANA
> >Considerations.  Please take steps to correct.  This is breaking
> >validating stub resolvers and validating nameservers that forward
> >this request to a nameserver with default local zones configured.
> Not to argue with this, but surely the same is true for
> That is, the in-addr.arpa zone securely denies the existence of
> anything between 126.in-addr.arpa and 128.in-addr.arpa.

I noticed the reverse for ::1 in my logs.  I didn't go looking for
others.  This should be enough of a headup for IANA to check all the
domains listed in RFC 6303.
> As in-addr.arpa and ip6.arpa use NSEC, without the possibility of
> opt-out that NSEC3 offers, there need to be insecure delegations
> to *something*. Are you proposing that the blackhole-*,iana.org
> network take them on?

Thats up to IANA/RIRs.  A insecure delegation to the same servers as the
parent zone is sufficient to break the chain of trust.
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list