Thanks Joe and everyone. I did delegate the 252.207.151.in-addr.arpa to my child from the 207.151.in-addr.arpa. I signed the child and the 207.151.in-addr.arpa zone and sent the DS data to ARIN. It has been 8 or 9 hours, but I still see a break in the chain of trust between 151.in-addr.arpa and 207.151.in-addr.arpa when I look at www.dnsviz.net site. I guess I'll ask for suggestions if it doesn't look better tomorrow.
-----Original Message----- From: Joe Abley [mailto:[email protected]] Sent: Tuesday, July 24, 2012 10:43 AM To: [email protected] Cc: [email protected]; McGhee, Karen (Evolver) Subject: Re: [dns-operations] Reverse DNSSEC--delegating to a child On 2012-07-24, at 08:03, Chris Thompson wrote: > On Jul 23 2012, Joe Abley wrote: > [...] >> When you have signed 207.151.in-addr.arpa and are confident that it >> validates correctly, you will need to get a DS record published in >> the parent zone, 151.in-addr.arpa. That zone is operated by the RIPE >> NCC, and so you will need to talk to them. > > This isn't in the RIPE NCC database, so I suspect it is ERX space and > you need to "talk" to your own RIR (ARIN?). The RIRs that are up to > speed on this exchange NS + DS data for delegations of ERX space so > that they end up in the right high-level reverse zone. Ah, thanks for that. 151.in-addr.arpa does seem to be served by the RIPE NCC, but also contain big lumps of space which are maintained by ARIN. > "Talk" ought to mean "use the web interface". It certainly would if > you were in fact updating the RIPE NCC database. PGP-signed e-mail to the [email protected] robot still works just fine, for the grey-haired crowd. Joe _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
