Re: [DNSOP] Why isn't ip6.arpa signed?

[David Conrad <drc at virtualized.org>]

Ted,

On Aug 21, 2008, at 4:48 PM, Ted Lemon wrote:
> It looks like it's sort of half-signed - if I query the right  
> authoritative server, I do get a signed response, but most of the  
> servers authoritative for ip6.arpa do not respond with signed  
> responses.

Err, no.  It isn't signed, at least officially.  If you query  
ns.iana.org (which isn't one of the official name servers for  
ip6.arpa), you'll get back a signed response because it is part of the  
DNSSEC testbed IANA has deployed (see https://ns.iana.org/dnssec/status.html) 
.  However, if you query any of the official name servers, you  
shouldn't get back a signed response.  If you are getting a signed  
response, please let me know as something would be horribly wrong.

> Since not everybody responds that way, it's effectively not  
> signed.   How come?   There's no giant user base whose ox will be  
> gored here.   It seems like a no-brainer.

Quite some time ago, the IAB asked IANA to sign .ARPA and the children  
of ARPA IANA had responsibility for.  IANA developed a set of tools to  
help facilitate this and have been running a testbed for more than a  
year now.  Unfortunately, signing .ARPA and its children got tangled  
up in layer 9 stuff.  In Dublin, there was some agreement on how to  
move forward and I expect/hope there to be progress in the near future  
(but of course, nothing in layer 9 is ever guaranteed).

Regards,
-drc

_______________________________________________
DNSOP mailing list
DNSOP at ietf.org
https://www.ietf.org/mailman/listinfo/dnsop