[dns-operations] Reverse DNSSEC--delegating to a child

Mark Andrews marka at isc.org
Thu Jul 26 00:21:14 UTC 2012


In message <2AA71BEDEBCF80449E35B7B640700BE4394A8114D6 at EMAIL4.uspto.gov>, "McGh
ee, Karen (Evolver)" writes:
> Thanks Joe and everyone.  I did delegate the 252.207.151.in-addr.arpa to my c
> hild from the 207.151.in-addr.arpa. I signed the child and the 207.151.in-add
> r.arpa zone and sent the DS data to ARIN.  It has been 8 or 9 hours, but I st
> ill see a break in the chain of trust between 151.in-addr.arpa and 207.151.in
> -addr.arpa when I look at www.dnsviz.net site.  I guess I'll ask for suggesti
> ons if it doesn't look better tomorrow.

Well the DS records are recorded at ARIN so it should be just a
matter of time.  If they don't appear in the 151.IN-ADDR.ARPA zone
within a day call ARIN on the phone and ask then to find out what
has happened.

Mark

% whois -a  "d ! NET-151-207-0-0-1"
#
# The following results may also be obtained via:
# http://whois.arin.net/rest/net/NET-151-207-0-0-1/rdns?showDetails=true&ext=netref2
#

Name:           207.151.in-addr.arpa.
Updated:        2012-07-25
NameServer:     DNS1.USPTO.GOV
NameServer:     DNS2.USPTO.GOV

KeyTag:         54069
Algorithm:      7
DigestType:     1
Digest:         D605F359BDBE760DD1BFFC802CD97EF4BD66D73A

KeyTag:         54069
Algorithm:      7
DigestType:     2
Digest:         DD1086E5707F20B9E575515C8A7E48A7F5007ADA9FB065F0162D842A779E35B9
Ref:            http://whois.arin.net/rest/rdns/207.151.in-addr.arpa.

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#

% 

 
> -----Original Message-----
> From: Joe Abley [mailto:jabley at hopcount.ca] 
> Sent: Tuesday, July 24, 2012 10:43 AM
> To: cet1 at cam.ac.uk
> Cc: dns-operations at lists.dns-oarc.net; McGhee, Karen (Evolver)
> Subject: Re: [dns-operations] Reverse DNSSEC--delegating to a child
> 
> 
> On 2012-07-24, at 08:03, Chris Thompson wrote:
> 
> > On Jul 23 2012, Joe Abley wrote:
> > [...]
> >> When you have signed 207.151.in-addr.arpa and are confident that it 
> >> validates correctly, you will need to get a DS record published in 
> >> the parent zone, 151.in-addr.arpa. That zone is operated by the RIPE 
> >> NCC, and so you will need to talk to them.
> > 
> > This isn't in the RIPE NCC database, so I suspect it is ERX space and 
> > you need to "talk" to your own RIR (ARIN?). The RIRs that are up to 
> > speed on this exchange NS + DS data for delegations of ERX space so 
> > that they end up in the right high-level reverse zone.
> 
> Ah, thanks for that. 151.in-addr.arpa does seem to be served by the RIPE NCC,
>  but also contain big lumps of space which are maintained by ARIN.
> 
> > "Talk" ought to mean "use the web interface". It certainly would if 
> > you were in fact updating the RIPE NCC database.
> 
> PGP-signed e-mail to the auto-dbm at ripe.net robot still works just fine, for t
> he grey-haired crowd.
> 
> 
> Joe
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the dns-operations mailing list