In message <prayer.1.3.5.1408201724000.12...@hermes-1.csi.cam.ac.uk>, Chris Thompson w rites: > On Aug 15 2014, Mark Andrews wrote: > > [...] > >The last delegation in the current chain is a secure delegation from > >IN-ADDR.ARPA to 100.IN-ADDR.ARPA so there is a problem currently. > >No one can safely setup their own reverse zones validation is now > >starting to be done in stub resolvers and to do so would result in > >validation failures. > > > >> Are you reacting to some other suggestion that one or both of ARIN and > >> IANA are keen to insert a secure delegation for each of those 64 zones? > > > >I'm saying that there needs to be a delegation and that the delegation > >needs to be insecure. There currently isn't a delegation at this level. > > This thread reminds me that the same problem arises if one wants to > locally define reverse zones for the IPv4 multicast addresses described > in sections 6.1 and 6.2 of RFC 2365, i.e. parts of 239.192.0.0/10. > 239.in-addr.arpa is signed with a chain of trust from the root, but > it doesn't contain any sort of delegation for these address ranges. > > What would be the right way to officially request IANA to do for > 239.192.0.0/10 what Mark Andrews is proposing for 100.64.0,0/10? > At least in this case ARIN is not involved: 239.in-addr.arpa is > all IANA's own work!
Write up a draft for this range requesting that the DNSSEC chain of trust gets broken for reverse range as per the method described in RFC 6303. > -- > Chris Thompson University of Cambridge Information Services, > Email: c...@uis.cam.ac.uk Roger Needham Building, 7 JJ Thomson Avenue, > Phone: +44 1223 334715 Cambridge CB3 0RB, United Kingdom. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop