[dns-operations] [Dnssec-deployment] The reverse for ::1 is signed as non-existant when it should be.

Mark Andrews marka at isc.org
Fri Feb 17 14:25:43 UTC 2012

In message <2541B98A-238C-410C-86D5-C794AD33BFD4 at icann.org>, Joe Abley writes:
> Hi Mark,
> On 2012-02-16, at 19:55, Mark Andrews wrote:
> > As per RFC 6303 this answer should not be signed.  See IANA
> > Considerations.  Please take steps to correct.  This is breaking
> > validating stub resolvers and validating nameservers that forward
> > this request to a nameserver with default local zones configured.
> 6303 specifies that that answer should not be signed when it is locally-ser
> ved.

	Actually it specifies the exact opposite.

   It is recommended that sites actively using these namespaces secure
   them using DNSSEC [RFC4035] by publishing and using DNSSEC trust
   anchors.  This will protect the clients from accidental import of
   unsigned responses from the Internet.

> The answer you got was from the IP6.ARPA zone. Are you suggesting that IP6.
> ARPA should be unsigned?

	No. I'm suggesting that there be a insecure delegation to
	break the chain of trust.

   As DNSSEC is deployed within the IN-ADDR.ARPA and IP6.ARPA
   namespaces, the zones listed above will need to be delegated as
   insecure delegations, or be within insecure zones.  This will allow
   DNSSEC validation to succeed for queries in these spaces despite not
   being answered from the delegated servers.
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list