[dnssec-deployment] Plans to sign arpa, in-addr.arpa, ip6.arpa?

[Kevin Oberman]

> Sender: "DNSSEC deployment" <dnssec-deployment at shinkuro.com>
> From: Joe Abley <jabley at hopcount.ca>
> Date: Sun, 8 Nov 2009 07:07:44 +0900
> 
> 
> On 2009-11-06, at 21:42, Chris Thompson wrote:
> 
> > Maybe I've missed something, but among all the ICANN/Verisign  
> > descriptions
> > of the planned schedule for signing the root zone, there doesn't  
> > seem to
> > be any mention of "arpa", "in-addr.arpa" (both served from the root  
> > servers)
> > or "ip6.arpa" (not so served, but owned by ICANN).
> 
> You're right that the work to sign the root zone has not included  
> direct treatment of the work required to sign ARPA, IN-ADDR.ARPA and  
> IP6.ARPA.
> 
> Work continues amongst the various involved orgnisations on arranging  
> for ARPA, IN-ADDR.ARPA and IP6.ARPA to be signed. The operational  
> community should expect to hear details just as soon as there are  
> details to be shared.
> 
> > It's also not entirely clear whether it's a good thing for these all  
> > to be
> > separate zones, lengthening the chain of trust.
> 
> Your proposal is that IN-ADDR.ARPA, IP6.ARPA and ARPA all be rolled  
> into the root zone?

Joe,

I'm not sure that rolling them into the root is a good idea, but I can
see good argument and reason to have the contents of in-addr.arpa and
ip6.arpa rolled into .arpa. I see no real benefit in keeping them
separate and, from a signing standpoint, having them divided both
complicates key management and lengthens the chain of trust for no good
reason that I see. Of course, those who have been working with DNSSEC
and/or the reverse address space my see a very good reason that I am
missing. 
-- 
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: oberman at es.net			Phone: +1 510 486-8634
Key fingerprint:059B 2DDF 031C 9BA3 14A4  EADA 927D EBB3 987B 3751