[dns-operations] [Dnssec-deployment] The reverse for ::1 is signed as non-existant when it should be.
Mark Andrews
marka at isc.org
Fri Feb 17 14:25:43 UTC 2012
In message <2541B98A-238C-410C-86D5-C794AD33BFD4 at icann.org>, Joe Abley writes:
> Hi Mark,
>
> On 2012-02-16, at 19:55, Mark Andrews wrote:
>
> > As per RFC 6303 this answer should not be signed. See IANA
> > Considerations. Please take steps to correct. This is breaking
> > validating stub resolvers and validating nameservers that forward
> > this request to a nameserver with default local zones configured.
>
> 6303 specifies that that answer should not be signed when it is locally-ser
> ved.
Actually it specifies the exact opposite.
It is recommended that sites actively using these namespaces secure
them using DNSSEC [RFC4035] by publishing and using DNSSEC trust
anchors. This will protect the clients from accidental import of
unsigned responses from the Internet.
> The answer you got was from the IP6.ARPA zone. Are you suggesting that IP6.
> ARPA should be unsigned?
No. I'm suggesting that there be a insecure delegation to
break the chain of trust.
As DNSSEC is deployed within the IN-ADDR.ARPA and IP6.ARPA
namespaces, the zones listed above will need to be delegated as
insecure delegations, or be within insecure zones. This will allow
DNSSEC validation to succeed for queries in these spaces despite not
being answered from the delegated servers.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations
mailing list