[dns-operations] signing reverse zones

Chris Thompson cet1 at cam.ac.uk
Tue Feb 11 16:52:38 UTC 2014


On Feb 10 2014, Mark Boolootian wrote:

>I'm interested in knowing if it is standard practice amongst folks to
>sign .arpa zones.  Is there a compelling use case for signing reverse
>zones?

We sign our (public) reverse zones. So if it isn't standard practice,
it ought to be :-)

The RIRs invested substantial effort to sign the high-level reverse zones
for which they are responsible, and adding support for including DS records
for their clients, feeding them to each other in cases when more than one
RIR is involved. It would be a pity not to take advantage of that.

Of course, not all registrars think that way. It's a matter of increasing
annoyance to me that although we have DNSSEC chains of trust from the root
for our ERX reverse zones (e.g. 111.131.in-addr.arpa), we don't for reverse
zones acquired later (e.g. 95.60.193.in-addr.arpa) - including for all
our IPv6 address space - because JANET have still not got around to
signing the intermediate zones between us and RIPE-NCC. It's the main
reason we can't abandon DLV yet.

-- 
Chris Thompson               University of Cambridge Computing Service,
Email: cet1 at ucs.cam.ac.uk    Roger Needham Building, 7 JJ Thomson Avenue,
Phone: +44 1223 334715       Cambridge CB3 0RB, United Kingdom.



More information about the dns-operations mailing list