[dnssec-deployment] Plans to sign arpa, in-addr.arpa, ip6.arpa?
oberman at es.net
Sat Nov 7 17:18:58 EST 2009
> Sender: "DNSSEC deployment" <dnssec-deployment at shinkuro.com>
> From: Joe Abley <jabley at hopcount.ca>
> Date: Sun, 8 Nov 2009 07:07:44 +0900
> On 2009-11-06, at 21:42, Chris Thompson wrote:
> > Maybe I've missed something, but among all the ICANN/Verisign
> > descriptions
> > of the planned schedule for signing the root zone, there doesn't
> > seem to
> > be any mention of "arpa", "in-addr.arpa" (both served from the root
> > servers)
> > or "ip6.arpa" (not so served, but owned by ICANN).
> You're right that the work to sign the root zone has not included
> direct treatment of the work required to sign ARPA, IN-ADDR.ARPA and
> Work continues amongst the various involved orgnisations on arranging
> for ARPA, IN-ADDR.ARPA and IP6.ARPA to be signed. The operational
> community should expect to hear details just as soon as there are
> details to be shared.
> > It's also not entirely clear whether it's a good thing for these all
> > to be
> > separate zones, lengthening the chain of trust.
> Your proposal is that IN-ADDR.ARPA, IP6.ARPA and ARPA all be rolled
> into the root zone?
I'm not sure that rolling them into the root is a good idea, but I can
see good argument and reason to have the contents of in-addr.arpa and
ip6.arpa rolled into .arpa. I see no real benefit in keeping them
separate and, from a signing standpoint, having them divided both
complicates key management and lengthens the chain of trust for no good
reason that I see. Of course, those who have been working with DNSSEC
and/or the reverse address space my see a very good reason that I am
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: oberman at es.net Phone: +1 510 486-8634
Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751
More information about the Dnssec-deployment