[dns-operations] signing reverse zones

Randy Bush randy at psg.com
Tue Feb 11 07:31:25 UTC 2014


hi mark,

> I'm interested in knowing if it is standard practice amongst folks to
> sign .arpa zones.  Is there a compelling use case for signing reverse
> zones?

standard practice?  you some kinda control freak?

first there is the arguments about whether reverse zones are useful and
should be populated.  i happen to use reverse lookup daily, so i try to
maintain them well for all the address space for which i am responsible.

so, given that i am gonna maintain the zone, why would i not want to
also sign the data?  the amount of work is trivial, and it's just one
more step in trying to paint security on the horribly insecure internet.

otoh, some ipv6 providers (ahem!) do not seem to sign reverse parents in
ip6.arpa, so it can be hard to get one's delegated /56-48 properly DSed.

randy



More information about the dns-operations mailing list