[dns-operations] The reverse for ::1 is signed as non-existant when it should be.
Joe Abley
jabley at hopcount.ca
Fri Feb 17 14:30:34 UTC 2012
On 2012-02-17, at 09:16, Mark Andrews wrote:
> Thats up to IANA/RIRs. A insecure delegation to the same servers as the
> parent zone is sufficient to break the chain of trust.
So your suggestion is that the following insecure delegations be installed:
0.IN-ADDR.ARPA
127.IN-ADDR.ARPA
254.169.IN-ADDR.ARPA
2.0.192.IN-ADDR.ARPA
100.51.198.IN-ADDR.ARPA
113.0.203.IN-ADDR.ARPA
255.255.255.255.IN-ADDR.ARPA
to A.IN-ADDR-SERVERS.ARPA ... F.IN-ADDR-SERVERS.ARPA, and
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
D.F.IP6.ARPA
8.E.F.IP6.ARPA ... B.E.F.IP6.ARPA
8.B.D.0.1.0.0.2.IP6.ARPA
to A.IP6-SERVERS.ARPA ... F.IP6-SERVERS.ARPA?
Note that 169.IN-ADDR.ARPA, 192.IN-ADDR.ARPA, 198.IN-ADDR.ARPA and 203.IN-ADDR.ARPA are already delegated from IN-ADDR.ARPA, and D.0.1.0.0.2.IP6.ARPA is already delegated from IP6.ARPA.
Joe
More information about the dns-operations
mailing list