[dnssec-deployment] Plans to sign arpa, in-addr.arpa, ip6.arpa?
pk at DENIC.DE
Sat Nov 7 19:45:44 EST 2009
On Sat, Nov 07, 2009 at 03:22:43PM -0800, Kevin Oberman wrote:
> several I am not at all aware of as I have never handled anything like
> .arpa. (Well, there was .de, but that was quite a few years ago and life
> and DNS were much simpler.)
not that DE would have had any similarity, though.
> consolidating multiple domains into a single zone should not be rejected
> out of hand or mandated and, since all of .arpa (as far as I know) is
> handled by ICANN, it probably should be a mostly internal issue, though
> the impact on external entities like RIRs and local DNS admins should
> be taken into consideration.
The separation of zones is not only an engineering issue but of course
often enough an administrative one, as well - even if in the end the
zone maintenance would be(!) handled by the same entity.
IIRC, the reason to introduce a split between ARPA and IN-ADDR.ARPA
was an incident with a fake NS RRSet for one of the domain names
being introduced into the system. This might no longer be an issue,
but the administrative aspect remains: if you haven't read RFC 3172 yet,
it's highly recommended.
Apart from that, the phenomenon described in the presentation that
was quoted here earlier doesn't really pose a problem.
More information about the Dnssec-deployment