Pirawat WATANAPONGSE <pirawat.w at ku.th> wrote:
> 1. There are old DS keys from .arpa to in-addr.arpa still dangling around.

This might be part of a rollover plan (I don't track changes to .arpa so
I can't tell how old the DS records are)

> 2. 158.in-addr.arpa is still using ‘Algorithm 5’

Yes, this needs fixing.

> 3. Even though my netblock was ROAed, APNIC did not link me
> to the ‘reverse’ DNSsec chain:
> 3.1. Why? Because it’s a ‘Historical’ netblock, transferred from ARIN to
> APNIC epochs ago. So, my ‘domain’ is with NIR (thank god), my ‘netblock’
> Whois is now with APNIC, but my ‘reverse’ is still with ARIN.
> 3.2. If I want to hook into the ‘reverse’ DNSsec chain, who do I send my DS
> key to? APNIC? ARIN?
> 3.2.1. APNIC is not the SOA of 158.in-addr.arpa.
> 3.2.2. I am no longer a ‘client’ of ARIN, the SOA of 158.in-addr.arpa.

Yes, it is complicated, especially for legacy allocations, but I don't
think it is particularly broken.

I have a similar situation with the reverse DNS for The
registration for the address block is with RIPE, but the reverse DNS
delegation is via ARIN.

The way this works is that I do all administration via RIPE (configuring
NS and DS records, etc.), and RIPE send zone file fragments to ARIN, which
incorporate them into the DNS. I think I found out about this from an
outage report a few years ago:


The situation for whois is somewhat worse than the reverse DNS. I've done
some work on the FreeBSD whois client, which tries to work by following
referrals instead of having built-in knowledge about which whois servers
to ask. This mostly works OK, except that APNIC and RIPE don't put any
kind of referral in their whois responses even though they know which
other RIR is responsible for the adress block. When that happens my whois
client tries ARIN (which usually works) or falls back to trying each RIR
in turn...

