[dns-operations] signing reverse zones

George Michaelson ggm at apnic.net
Wed Feb 12 22:48:02 UTC 2014 

I am probably saying this badly, and I regret any implied
teaching-your-granny-to-suck-eggs. Thats not my goal.

I understand Reverse-DNS as a namespace which contains assertions made by
the entity which controls the next-highest do-separated tlabel delegation
point, or the hunt backwards to the root. That doesn't have to BE the
immediate rightmost dot if you are a /24, the /16 might not be delegated.
Likewise there may only be a /24 and the intermediate /16 may not exist as
a delegation point: the /24 may reside directly in an RIR /8 delegation
zone file.

So, in that respect, it represents an assertion of PTR made by a 'parent'
entity over the addressblock in question.

Because it is forced to align to the dot boundary of the mapping of an IPv4
or IPv6 address, which do not align cleanly with the CIDR boundary of
routing, It has a more limited applicability to statements over routing.

There are people who believe there are ways round that but its
work-in-progress. (which btw, I am not involved with and I make no claims
as to its viability or otherwise. I do personally think a clean CIDR/prefix
respecting namespace in DNS would be interesting and useful)

So noting that it has limited applicability in the wide to the exact-match
of routing, It does at least have relationship to the management of the
address space and respects a top-down delegation/hierarchy model of
management. Again, I am not trying to say what should/should-not be
regarding that, just that it does follow a hierarchy, which can be useful,
because trust stems from the root TA out of band, so a signed DNS reverse
space represents a series of encompassing hierarchical trust statements
from the root down.

Parent assertions can be useful. Signed parent assertions can be useful.
They can include information which materially says "for more information go
<here>" so in principle, they can empower address holders, under a suitable
framework, to make trustable assertions about an IP address.

Can anyone think of reasons why they might want to do that?


On Thu, Feb 13, 2014 at 8:03 AM, Mark Boolootian <booloo at ucsc.edu> wrote:

> Hi Randy,
>
> >> I'm interested in knowing if it is standard practice amongst folks to
> >> sign .arpa zones.  Is there a compelling use case for signing reverse
> >> zones?
> >
> > standard practice?  you some kinda control freak?
>
> Learned at the feet of the masters (and thank you :-)
>
> > first there is the arguments about whether reverse zones are useful and
> > should be populated.  i happen to use reverse lookup daily, so i try to
> > maintain them well for all the address space for which i am responsible.
>
> We do likewise.
>
> > so, given that i am gonna maintain the zone, why would i not want to
> > also sign the data?  the amount of work is trivial, and it's just one
> > more step in trying to paint security on the horribly insecure internet.
>
> I was anticipating more of a beating for my question, but apparently
> there is an overabundance of politeness here :-)    All points taken.
>
> mark
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20140213/4fcaea12/attachment.html>

More information about the dns-operations mailing list