[dnssec-deployment] Plans to sign arpa, in-addr.arpa, ip6.arpa?
cet1 at cam.ac.uk
Sun Nov 8 17:54:53 EST 2009
On Nov 8 2009, Ralf Weber wrote:
> . [...snip...] RFC2870
>and RFC3172 suggest that the name server set for .arpa should change
>from the root servers to a dedicated set, which IMHO is a pre-
>requesite for signing .arpa, as it otherwise signing would impact root
In fact this seems to be the only reason that RFC 3172 requires a
zone cut between the root and "arpa" (and possibly between "arpa"
and "in-addr.arpa", although that is less clear). Section 2 lays
down that the operational requirements for the "arpa" nameservers
have to match those for the root nameservers, precisely because
they are to be a different set.
And in section 4 we read
| Currently, the "arpa" zone is located on a subset of the root
| servers, and the zone is managed in accordance with these
| specifications. The IAB is working with ICANN, IANA, and the
| regional registries to move "arpa" and "in-addr.arpa" records from
| the root servers in accord with the RFC 2870 recommendation for
| exclusive use of those servers .
This was published over 8 years ago, and it hasn't happened yet. Are
we really expected to believe that this is still work in progress?
Rather than an old idea that seemed to make sense at the time, long
Chris Thompson University of Cambridge Computing Service,
Email: cet1 at ucs.cam.ac.uk New Museums Site, Cambridge CB2 3QH,
Phone: +44 1223 334715 United Kingdom.
More information about the Dnssec-deployment