[dns-operations] signing reverse zones

Lawrence K. Chen, P.Eng. lkchen at ksu.edu
Tue Mar 4 19:55:39 UTC 2014



On 02/10/14 18:05, Mark Andrews wrote:
> 
> In message <CAMCLrkGpqt+KLGfhh+9yZTJhke+-9UY9_d9VgEjefJbBEfBKaQ at mail.gmail.com>
> , Mark Boolootian writes:
>> I'm interested in knowing if it is standard practice amongst folks to
>> sign .arpa zones.  Is there a compelling use case for signing reverse
>> zones?
> 
> All zones should be signed.  For structured zones like these NSEC3
> is pointless.  With a signed reverse zone can be leveraged to provide
> cryptographic secure communication to a ip.
> 
>> Thoughts appreciated,
>> mark

I vaguely recall being asked about signing our reverse zones, in
connection with exploration in some sort of extended use of
DNSSEC...though I can't recall what that was.

I recall discussion of doing SSL without using a known CA as something
that can be done, perhaps there was something about SSH that could be
done with reverse DNS?

Anyways....I couldn't do it, we've lost control of our ARIN record.
ARIN only allows named individual contacts to manage the
information...not role contacts.  Our netblock lists 3 role contacts,
DNS, Networking and Abuse.  And, one individual who hasn't worked here
in years (> 16?).

When all the contacts for our netblock get abuse notifications....I kept
getting asked why is somebody who hasn't been here for a long time still
a contact.  Well you do a whois on our IP space and he's listed.  They
go off to try to remove him...  And, then the next time we get
emails...he's still included, and I get asked again and things
repeat....  Never understood why they didn't actually do what they said
they would.  Until I went to see about doing doing signing of our
reverse....

Of course, I have two /24's that I've also lost control of.  Even though
I'm the remaining named contact for the net blocks, they are linked to
organizations that have long ago ceased to exist.  But, the require that
I prove the organization's existence before I can disassociate the
blocks from them.  And, in one case to release a /24.

I does make me wonder sometimes, how much IPv4 space is assigned that is
available but due to ARIN's policies are lost....

Guess nobody knew that when you dissolve a company/organization that
they should release their IP space.  Unlike their domain name, which was
immediately snapped for obscene purposes when it expired.

Because of that, there are a few domains that I've been renewing on my
own...though some TLDs have gotten more expensive, so I'll probably let
a couple of them expire soon.

-- 
Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator
For: Enterprise Server Technologies (EST) -- & SafeZone Ally



More information about the dns-operations mailing list