Hello, The one difference that comes to mind is that NSEC3 doesn't make a lot sense in the reverse space, as anyone can walk the zones anyway, so we (LACNIC) will be using NSEC for signed negative responses.
Other than that, it's pretty much the same. regards Carlos -- Carlos Martinez-Cagnazzo R+D Engineer http://www.labs.lacnic.net On 3/6/12 9:34 AM, Olaf Kolkman wrote: > On Mar 6, 2012, at 9:32 AM, Dick Visser wrote: > >>>> Any ideas/policies/bestpratice/rumours about signing reverse DNS zones? >>> I sign all my reverse zones just as my forward zones - are there any >>> differences? >> No, but I since I don't see too much information about it I thought >> I'd ask around. >> I guess I'm looking for a Best Practices document ;-) > > You might want to have a quick look at: > http://www.ripe.net/data-tools/dns/dnssec/procedure-for-requesting-dnssec-delegations > > But that is more a hook for provisioning than best practices. For operational > practices there is not much difference between forward and reverse (as said), > except perhaps issues of key-maintenance and administrative exposure, all > those tradeoffs are described in > http://tools.ietf.org/html/draft-ietf-dnsop-rfc4641bis > > --Olaf > > > ________________________________________________________ > > Olaf M. Kolkman NLnet Labs > http://www.nlnetlabs.nl/ > > > > > > > > > > > > > > > > _______________________________________________ > Opendnssec-user mailing list > [email protected] > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
