[dns-operations] The reverse for ::1 is signed as non-existant when it should be.

Mark Andrews marka at isc.org
Fri Feb 17 15:03:13 UTC 2012


In message <64D24052-90B2-4936-A8E4-237EFCB4F1E8 at hopcount.ca>, Joe Abley writes
:
> 
> On 2012-02-17, at 09:16, Mark Andrews wrote:
> 
> > Thats up to IANA/RIRs.  A insecure delegation to the same servers as =
> the
> > parent zone is sufficient to break the chain of trust.
> 
> So your suggestion is that the following insecure delegations be =
> installed:
> 
> 0.IN-ADDR.ARPA
> 127.IN-ADDR.ARPA
> 254.169.IN-ADDR.ARPA
> 2.0.192.IN-ADDR.ARPA
> 100.51.198.IN-ADDR.ARPA
> 113.0.203.IN-ADDR.ARPA
> 255.255.255.255.IN-ADDR.ARPA
> 
> to A.IN-ADDR-SERVERS.ARPA ... F.IN-ADDR-SERVERS.ARPA, and

That or the servers that serve their immediate parent zones.  For
254.169.IN-ADDR.ARPA that would be the ARIN servers.

> 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
> 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
> D.F.IP6.ARPA
> 8.E.F.IP6.ARPA ... B.E.F.IP6.ARPA
> 8.B.D.0.1.0.0.2.IP6.ARPA
> 
> to A.IP6-SERVERS.ARPA ... F.IP6-SERVERS.ARPA?
> 
> Note that 169.IN-ADDR.ARPA, 192.IN-ADDR.ARPA, 198.IN-ADDR.ARPA and =
> 203.IN-ADDR.ARPA are already delegated from IN-ADDR.ARPA, and =
> D.0.1.0.0.2.IP6.ARPA is already delegated from IP6.ARPA.
> 
> 
> Joe=
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the dns-operations mailing list