[dns-wg] RIPE NCC DNSSEC trust anchors
Jim Reid jim at rfc1035.com
Thu Nov 13 17:03:03 CET 2014
On 13 Nov 2014, at 14:54, Anand Buddhdev <anandb at ripe.net> wrote: > Signed PGP part > Dear colleagues, > > Most of the zones that the RIPE NCC signs with DNSSEC have trust anchors > in their parent zones, with the exception of these three zones: > > 151.76.62.in-addr.arpa > ripe.int > ripen.cc > > We have been publishing trust anchors for these three zones on our > website, as well as in the ISC DLV trust anchor repository (TAR): > https://dlv.isc.org > > On Tuesday, 11 November 2014, we rolled our DNSSEC Key Signing Keys > and added the new trust anchors for these three zones to the ISC > DLV TAR. Because we believe manual configuration of trust anchors is > very rare these days, we are taking this opportunity to stop publishing > trust anchors for these three zones on our website. The trust anchors > remain available via the ISC DLV TAR. Of course, as soon as we are > able to publish DS records for these zones in their parents, we will > do so and withdraw them from the ISC DLV TAR, as we have done for all > our other zones. Anand, I am confused. 62/8 is under RIPE NCC control. There are DS records for 62.in-addr.arpa which presumably got put there by the NCC. So why does anything underneath that domain have to be in DLV? I would very much like to see a timetable and plan for the removal of RIPE NCC managed zones from DLV. Is there a worthwhile reason for any NCC-managed reverse zones and keying material to remain there? I can't think of one. As for the other two domain names, do you have any statistics on how often they are used/looked up and why? And of those lookups, how many result in DLV-flavour validation? How often do URLs containing these two domain names appear in web content or whatever? ie Does validation of these two domains actually matter to anything? Neither of these TLDs seem appropriate for the NCC. IIRC ripen.cc was a botched experiment some years ago that was quietly buried. [Apparently URLs with a ripen.cc hostname were shorter than those which used ripe.net. Go figure.] It would seem the only reason for holding on to these two domain names would be for defensive registrations and/or to put an HTTP redirect to ripe.net. Either way, there doesn't seem much point in signing these zones and far less populating DLV with DS records for them. Maybe I've missed something. I appreciate your understandable need for caution here Anand and to avoid surprises. However, there hasn't been a need to use DLV for NCC-managed zones for a few years now. So I think it's about time to pull the plug on the NCC's DLV involvement forever. After giving everyone sufficient notice of course. I hope your email is the start of that process Of course what happens to DLV once the NCC's stuff is removed remains a decision for ISC. My views on that are well known.
[ dns-wg Archives ]