You are here: Home > Participate > Policy Development > Policy Proposals > Introducing DNSSEC Service to Reverse DNS Trees

Introducing DNSSEC Service to Reverse DNS Trees

To implement DNSSEC, we propose extending the policy for Reverse Address Delegation of IPv4 and IPv6 Address Space in the RIPE NCC Service Region.

The RIPE NCC is committed to supporting the deployment of DNS Security Extensions - a set of security extensions to the DNS that allows validating DNS resolvers to establish 'chains of trust' from known public keys to the data being validated.

During the resolution process, DNSSEC aware nameservers will provide secure delegations. These consist of a regular delegation (the NS record) to the nameservers that are authoritative for the child zone, as well as a signed pointer (the DS record) to a key that is authorised to sign the child zone. When the child and parent zone have exchanged keys, we can provide a secure delegation.

This proposal describes our planned policy for serving secured DNS data and key exchange. It does not cover deployment of DNSSEC by Local Internet Registries (LIRs) or others in our service region.

We are also introducing two new proposed procedural documents, comments are welcome on these:

The Draft Public Key Procedure explains the procedure that we will follow with our keys. You will need this document if you plan to configure the RIPE NCC as a 'trust anchor' or if you receive a secure delegation from us.

The Draft Registry Procedure explains how you can get a secure delegation.

This policy and the related procedures are tailored towards the operation of a secured Domain Name System. They are not in any way tailored to the establishment of a certification authority similar to CAs used for X509 PKIs.

Get Involved

The Domain Name System (DNS) Working Group discusses current DNS-related issues in technology and operations. The WG encourages deployment of DNS and related protocol components by collecting experience and documenting current practice and recommendations. Anyone with an interest in DNS is welcome to observe and contribute to the WG. To post a message to the list, send an email to dns-w[email protected]. Please note that only subscribers can post messages.

RIPE Forum

The RIPE Forum is an additional way to participate in RIPE community mailing list discussions using a web-based interface rather than an email client.

Check out the forum

Please contact if you need more information.

Stay up to date!

Follow @PDO_RIPE_NCC on Twitter.