Skip to main content

Introducing DNSSEC Service to Reverse DNS Trees

This policy proposal has been accepted

Publication date
Draft document
Introducing DNSSEC Service to Reverse DNS Trees
  • Marco Hogewoning
  • Remco van Mook
  • Marco Hogewoning
  • Remco van Mook
Proposal Version
1.0 - 05 Jan 2011
All Versions
01 Oct 2005
State Discription
Working Group
DNS Working Group
Proposal type
  • New
Policy term

To implement DNSSEC, we propose extending the policy for Reverse Address Delegation of IPv4 and IPv6 Address Space in the RIPE NCC Service Region.

The RIPE NCC is committed to supporting the deployment of DNS Security Extensions - a set of security extensions to the DNS that allows validating DNS resolvers to establish 'chains of trust' from known public keys to the data being validated.

During the resolution process, DNSSEC aware nameservers will provide secure delegations. These consist of a regular delegation (the NS record) to the nameservers that are authoritative for the child zone, as well as a signed pointer (the DS record) to a key that is authorised to sign the child zone. When the child and parent zone have exchanged keys, we can provide a secure delegation.

This proposal describes our planned policy for serving secured DNS data and key exchange. It does not cover deployment of DNSSEC by Local Internet Registries (LIRs) or others in our service region.

We are also introducing two new proposed procedural documents, comments are welcome on these:

The Draft Public Key Procedure explains the procedure that we will follow with our keys. You will need this document if you plan to configure the RIPE NCC as a 'trust anchor' or if you receive a secure delegation from us.

The Draft Registry Procedure explains how you can get a secure delegation.

This policy and the related procedures are tailored towards the operation of a secured Domain Name System. They are not in any way tailored to the establishment of a certification authority similar to CAs used for X509 PKIs.