[dns-operations] The reverse for ::1 is signed as non-existant when it should be.
Chris Thompson
cet1 at cam.ac.uk
Fri Feb 17 16:40:34 UTC 2012
On Feb 17 2012, Mark Andrews wrote:
[...]
>> As in-addr.arpa and ip6.arpa use NSEC, without the possibility of
>> opt-out that NSEC3 offers, there need to be insecure delegations
>> to *something*. Are you proposing that the blackhole-*,iana.org
>> network take them on?
>
>Thats up to IANA/RIRs. A insecure delegation to the same servers as the
>parent zone is sufficient to break the chain of trust.
With said servers providing the appropriate (unsigned) empty zones,
I take it. We don't want queries for RFC 6303 zones to give SERVFAILs
if it so happens that they are *not* being served locally.
--
Chris Thompson University of Cambridge Computing Service,
Email: cet1 at ucs.cam.ac.uk New Museums Site, Cambridge CB2 3QH,
Phone: +44 1223 334715 United Kingdom.
More information about the dns-operations
mailing list