[Opendnssec-user] Reverse zones?

Carlos Martinez-Cagnazzo carlos at lacnic.net
Tue Mar 6 14:04:25 UTC 2012


Hello,

The one difference that comes to mind is that NSEC3 doesn't make a lot
sense in the reverse space, as anyone can walk the zones anyway, so we
(LACNIC) will be using NSEC for signed negative responses.

Other than that, it's pretty much the same.

regards

Carlos

--
Carlos Martinez-Cagnazzo
R+D Engineer
http://www.labs.lacnic.net


On 3/6/12 9:34 AM, Olaf Kolkman wrote:
> On Mar 6, 2012, at 9:32 AM, Dick Visser wrote:
>
>>>> Any ideas/policies/bestpratice/rumours about signing reverse DNS zones?
>>> I sign all my reverse zones just as my forward zones - are there any differences?
>> No, but I since I don't see too much information about it I thought
>> I'd ask around.
>> I guess I'm looking for a Best Practices document ;-)
>
> You might want to have a quick look at: http://www.ripe.net/data-tools/dns/dnssec/procedure-for-requesting-dnssec-delegations
>
> But that is more a hook for provisioning than best practices. For operational practices there is not much difference between forward and reverse (as said), except perhaps issues of key-maintenance and administrative exposure, all those tradeoffs are described in http://tools.ietf.org/html/draft-ietf-dnsop-rfc4641bis
>
> --Olaf
>
>
> ________________________________________________________ 
>
> Olaf M. Kolkman                        NLnet Labs
> http://www.nlnetlabs.nl/
>
>
>
>
>
>
>
>
>
>
>
>      
>
>
>
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20120306/daff4d1e/attachment.htm>


More information about the Opendnssec-user mailing list