John Todd <jtodd@quad9.net> writes:
To validate that the addresses were “ours” or at least under our control, there were still some hoops to jump through other than the standard validation of registry data. For example, we had to activate web servers and objects on our anycast network to answer specific queries during some of the check processes.
TL;DR: Digicert is still the only player for v6 signing, and it will not be entirely hands-free to manage but also not overly difficult.
Thanks a lot! This is incredibly useful. Yes, we are sort of prepared for the web server hoops. Not trivial since our addresses aren't normally reachable from the Internet, even if they are public and advertised. We are only providing AS internal DNS resolver service. Dropping outside traffic is an easy way to add some protection. But that's just one more hoop. The technical challenges are nothing anyway. Getting permission from sourcing to buy something from a new partner will be far worse... So I will go another round with our existing partners first. Thanks again. Bjørn