Dnssec and ptr records
Quick question for those who have researched things more closely. I have signed all my forward zones and think I've crossed my I's and dotted my T's, but one thing I'm not sure of... Are we supposed to setup signing for reverse dns zones? __________________________ Eric Esslinger Information Services Manager - Fayetteville Public Utilities http://www.fpu-tn.com/ (931)433-1522 ext 165 This message may contain confidential and/or proprietary information and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited.
Eric J Esslinger (eesslinger) writes:
Quick question for those who have researched things more closely. I have signed all my forward zones and think I've crossed my I's and dotted my T's, but one thing I'm not sure of...
Are we supposed to setup signing for reverse dns zones?
Hi Eric, Let me reverse the question: why wouldn't you ? Cheers, Phil
-----Original Message----- From: Phil Regnauld [mailto:regnauld@nsrc.org] Sent: Tuesday, October 18, 2011 9:18 AM To: Eric J Esslinger Cc: 'nanog@nanog.org' Subject: Re: Dnssec and ptr records
Eric J Esslinger (eesslinger) writes:
Quick question for those who have researched things more closely. I have signed all my forward zones and think I've crossed my I's and dotted my T's, but one thing I'm not sure of...
Are we supposed to setup signing for reverse dns zones?
Hi Eric,
Let me reverse the question: why wouldn't you ?
Cheers, Phil
Well it makes sense we should, just that all the examples, discussion, and such I've read dealt with forward records. I guess I get to dig some more. Thanks. __________________________ Eric Esslinger Information Services Manager - Fayetteville Public Utilities http://www.fpu-tn.com/ (931)433-1522 ext 165 This message may contain confidential and/or proprietary information and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited.
On Oct 18, 2011, at 10:21 AM, Eric J Esslinger wrote:
Well it makes sense we should, just that all the examples, discussion, and such I've read dealt with forward records.
I guess I get to dig some more. Thanks.
Eric - Your in-addr zone first needs to be signed and then the DS records are put in the parent in-addr zone to link into the signed IN-ADDR.ARPA hierarchy. In the ARIN region, this can be done via the DNSSEC DS record management in ARIN Online or via the RESTful provisioning interface. ARIN DNSSEC Project overview: https://www.arin.net/resources/dnssec/ ARIN Online/DNSEC Tutorials: https://www.arin.net/knowledge/dnssec/index.html FYI, /John John Curran President and CEO ARIN
(Presuming, of course, that you've got an ARIN assignment or allocation. If you're in a provider-assigned block, you'll need to chat with your ISP about the DS linkage for your PTR zones... /John ) On Oct 18, 2011, at 12:31 PM, John Curran wrote:
On Oct 18, 2011, at 10:21 AM, Eric J Esslinger wrote:
Well it makes sense we should, just that all the examples, discussion, and such I've read dealt with forward records.
I guess I get to dig some more. Thanks.
Eric -
Your in-addr zone first needs to be signed and then the DS records are put in the parent in-addr zone to link into the signed IN-ADDR.ARPA hierarchy. In the ARIN region, this can be done via the DNSSEC DS record management in ARIN Online or via the RESTful provisioning interface.
ARIN DNSSEC Project overview: https://www.arin.net/resources/dnssec/ ARIN Online/DNSEC Tutorials: https://www.arin.net/knowledge/dnssec/index.html
FYI, /John
John Curran President and CEO ARIN
-----Original Message----- From: John Curran [mailto:jcurran@arin.net] Sent: Tuesday, October 18, 2011 11:56 AM To: Eric J Esslinger Cc: nanog@nanog.org Operators' Group Subject: Re: Dnssec and ptr records
(Presuming, of course, that you've got an ARIN assignment or allocation. If you're in a provider-assigned block, you'll need to chat with your ISP about the DS linkage for your PTR zones... /John )
On Oct 18, 2011, at 12:31 PM, John Curran wrote:
On Oct 18, 2011, at 10:21 AM, Eric J Esslinger wrote:
Well it makes sense we should, just that all the examples, discussion, and such I've read dealt with forward records.
I guess I get to dig some more. Thanks.
Eric -
Your in-addr zone first needs to be signed and then the DS records are put in the parent in-addr zone to link into the signed IN-ADDR.ARPA hierarchy. In the ARIN region, this can be done via the DNSSEC DS record management in ARIN Online or via the RESTful provisioning interface.
ARIN DNSSEC Project overview: https://www.arin.net/resources/dnssec/ ARIN Online/DNSEC Tutorials: https://www.arin.net/knowledge/dnssec/index.html
FYI, /John
John Curran President and CEO ARIN
Thank you. That gives me information to work with, and I now have a solid understanding of what I need to do for the proper delegation setup. I'll have to talk to my current ISP for the blocks I currently have, though I don't believe they do dnssec at this time. I am expecting to get an Arin allocation shortly (and return their existing allocations to us) as we are going multihomed soon. I may just have to wait till then to get everything fully setup.
This message may contain confidential and/or proprietary information and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited.
On Tue, Oct 18, 2011 at 09:13:54AM -0500, Eric J Esslinger wrote:
Quick question for those who have researched things more closely. I have signed all my forward zones and think I've crossed my I's and dotted my T's, but one thing I'm not sure of...
Are we supposed to setup signing for reverse dns zones?
__________________________ Eric Esslinger Information Services Manager - Fayetteville Public Utilities http://www.fpu-tn.com/ (931)433-1522 ext 165
This message may contain confidential and/or proprietary information and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited.
you should practice the same diligence with all your DNS zones, either sign all of them or none of them. /bill
At 9:13 -0500 10/18/11, Eric J Esslinger wrote:
Are we supposed to setup signing for reverse dns zones?
To the DNS, a zone is a zone. The terms "forward" and "reverse" as zone adjectives were invented by humans. ;) The high-level view of signing the "reverse zones" is the same as for "forward zones." -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis NeuStar You can leave a voice message at +1-571-434-5468 Vote for the word of the day: "Papa"razzi - father that constantly takes photos of the baby Corpureaucracy - The institution of corporate "red tape"
participants (6)
-
bmanning@vacation.karoshi.com -
Edward Lewis -
Eric J Esslinger -
John Curran -
Phil Regnauld -
Randy Bush