[dns-operations] The reverse for ::1 is signed as non-existant when it should be.

Chris Thompson cet1 at cam.ac.uk
Fri Feb 17 16:40:34 UTC 2012

On Feb 17 2012, Mark Andrews wrote:

>> As in-addr.arpa and ip6.arpa use NSEC, without the possibility of
>> opt-out that NSEC3 offers, there need to be insecure delegations
>> to *something*. Are you proposing that the blackhole-*,iana.org
>> network take them on?
>Thats up to IANA/RIRs.  A insecure delegation to the same servers as the
>parent zone is sufficient to break the chain of trust.

With said servers providing the appropriate (unsigned) empty zones,
I take it. We don't want queries for RFC 6303 zones to give SERVFAILs
if it so happens that they are *not* being served locally.

Chris Thompson               University of Cambridge Computing Service,
Email: cet1 at ucs.cam.ac.uk    New Museums Site, Cambridge CB2 3QH,
Phone: +44 1223 334715       United Kingdom.

More information about the dns-operations mailing list