[dns-operations] The reverse for ::1 is signed as non-existant when it should be.
Mark Andrews
marka at isc.org
Fri Feb 17 15:03:13 UTC 2012
In message <64D24052-90B2-4936-A8E4-237EFCB4F1E8 at hopcount.ca>, Joe Abley writes
:
>
> On 2012-02-17, at 09:16, Mark Andrews wrote:
>
> > Thats up to IANA/RIRs. A insecure delegation to the same servers as =
> the
> > parent zone is sufficient to break the chain of trust.
>
> So your suggestion is that the following insecure delegations be =
> installed:
>
> 0.IN-ADDR.ARPA
> 127.IN-ADDR.ARPA
> 254.169.IN-ADDR.ARPA
> 2.0.192.IN-ADDR.ARPA
> 100.51.198.IN-ADDR.ARPA
> 113.0.203.IN-ADDR.ARPA
> 255.255.255.255.IN-ADDR.ARPA
>
> to A.IN-ADDR-SERVERS.ARPA ... F.IN-ADDR-SERVERS.ARPA, and
That or the servers that serve their immediate parent zones. For
254.169.IN-ADDR.ARPA that would be the ARIN servers.
> 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
> 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
> D.F.IP6.ARPA
> 8.E.F.IP6.ARPA ... B.E.F.IP6.ARPA
> 8.B.D.0.1.0.0.2.IP6.ARPA
>
> to A.IP6-SERVERS.ARPA ... F.IP6-SERVERS.ARPA?
>
> Note that 169.IN-ADDR.ARPA, 192.IN-ADDR.ARPA, 198.IN-ADDR.ARPA and =
> 203.IN-ADDR.ARPA are already delegated from IN-ADDR.ARPA, and =
> D.0.1.0.0.2.IP6.ARPA is already delegated from IP6.ARPA.
>
>
> Joe=
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations
mailing list