[dns-operations] Reverse DNSSEC--delegating to a child

[McGhee, Karen (Evolver)]

Thanks Joe and everyone.  I did delegate the 252.207.151.in-addr.arpa to my child from the 207.151.in-addr.arpa. I signed the child and the 207.151.in-addr.arpa zone and sent the DS data to ARIN.  It has been 8 or 9 hours, but I still see a break in the chain of trust between 151.in-addr.arpa and 207.151.in-addr.arpa when I look at www.dnsviz.net site.  I guess I'll ask for suggestions if it doesn't look better tomorrow.

-----Original Message-----
From: Joe Abley [mailto:jabley at hopcount.ca] 
Sent: Tuesday, July 24, 2012 10:43 AM
To: cet1 at cam.ac.uk
Cc: dns-operations at lists.dns-oarc.net; McGhee, Karen (Evolver)
Subject: Re: [dns-operations] Reverse DNSSEC--delegating to a child


On 2012-07-24, at 08:03, Chris Thompson wrote:

> On Jul 23 2012, Joe Abley wrote:
> [...]
>> When you have signed 207.151.in-addr.arpa and are confident that it 
>> validates correctly, you will need to get a DS record published in 
>> the parent zone, 151.in-addr.arpa. That zone is operated by the RIPE 
>> NCC, and so you will need to talk to them.
> 
> This isn't in the RIPE NCC database, so I suspect it is ERX space and 
> you need to "talk" to your own RIR (ARIN?). The RIRs that are up to 
> speed on this exchange NS + DS data for delegations of ERX space so 
> that they end up in the right high-level reverse zone.

Ah, thanks for that. 151.in-addr.arpa does seem to be served by the RIPE NCC, but also contain big lumps of space which are maintained by ARIN.

> "Talk" ought to mean "use the web interface". It certainly would if 
> you were in fact updating the RIPE NCC database.

PGP-signed e-mail to the auto-dbm at ripe.net robot still works just fine, for the grey-haired crowd.


Joe