[dns-operations] signing reverse zones
pk at DENIC.DE
Thu Feb 13 10:22:02 UTC 2014
On Thu, Feb 13, 2014 at 08:48:02AM +1000, George Michaelson wrote:
> Parent assertions can be useful. Signed parent assertions can be useful.
> They can include information which materially says "for more information go
> <here>" so in principle, they can empower address holders, under a suitable
> framework, to make trustable assertions about an IP address.
> Can anyone think of reasons why they might want to do that?
I'm not sure I follow your argument about the parent assertion in the first place,
but even if I would, what would DNSSEC change? The DNSSEC signature has
absolutely no value in assessing the presence of the data (the strength,
legitimacy or validity of the assertion) other than giving you confidence
that the consumer sees exactly what was published at a certain point in the
DNS tree (by whoever).
More information about the dns-operations