In message <7ea38d42-3915-403e-afe3-c0a8e4a39...@hopcount.ca>, Joe Abley writes: > > On 14 Aug 2014, at 12:04, Mark Andrews <ma...@isc.org> wrote: > > > The assignements go: > > > > 0.0.0.0/0 IANA (IN-ADDR.ARPA) > > 100.0.0.0/8 ARIN (100.IN-ADDR.ARPA) > > 100.64.0.0/10 IANA (64.100.IN-ADDR.ARPA through > > 127.100.IN-ADDR.ARPA) > > > > The 100.64/10 address range is assigned to IANA. IANA has not yet > > setup IN-ADDR.ARPA zones and servers for this range. > > Since there is no secure delegation in place right now, anybody who wants > to set up their own reverse DNS (and e.g. point their resolvers at it > through resolver configuration) can do so, right? So there's no current > problem?
The last delegation in the current chain is a secure delegation from IN-ADDR.ARPA to 100.IN-ADDR.ARPA so there is a problem currently. No one can safely setup their own reverse zones validation is now starting to be done in stub resolvers and to do so would result in validation failures. > Are you reacting to some other suggestion that one or both of ARIN and > IANA are keen to insert a secure delegation for each of those 64 zones? I'm saying that there needs to be a delegation and that the delegation needs to be insecure. There currently isn't a delegation at this level. > It seems to me that no delegation is a perfectly reasonable steady state, > so long as ARIN doesn't mind the NXDOMAIN load from leaked queries. An > alternative to a delegation (if they do care) would be a DNAME > redirection to EMPTY.AS112.ARPA once that is available. Given that IN-ADDR.ARPA -> 100.IN-ADDR.ARPA is a secure delegation there is currently no way to safely intercept the queries. I also don't think that ISP's that deploy 100.64/10 should be unable to safely add reverse zones for that range. > Joe -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
