On Wed, 19 Feb 2020 at 11:43, Pirawat WATANAPONGSE <[email protected]> wrote:
> Well, let’s look at the real netblock, shall we? (‘cause I have nothing to > hide) > You can see for yourself at > https://dnsviz.net/d/108.158.in-addr.arpa/dnssec/ > > I don't really see any of these things as flag-day level problems. The (so-called) DNS Flag Days are about fixing long standing interoperability issues that increase complexity of DNS server code, as it needs to work around those problems. None of the issues below are interoperability issues, and none of them are long-standing issues either. > 1. There are old DS keys from .arpa to in-addr.arpa still dangling around. > Why do you say there are old DS records (not keys) hanging around? It looks to me like the DS records for key IDs 53696 and 63982 are likely to be pre-published for a key roll. Although without very long term history of the zone contents it's hard to tell. Perhaps one of them is outgoing and the other is incoming? Either way, this is not a _problem_ for the zone or the DNS. > 2. 158.in-addr.arpa is still using ‘Algorithm 5’ > That could be improved, but again I don't see this as a flag-day level issue. Algo 5 has only recently fallen out of favour, and we haven't even got around to deprecating it yet. Presumably ARIN will get around to doing an algorithm roll in the coming months. You might ask on arin-discuss[1] whether there are currently any plans, and what the schedule is. It's entirely possible they've already published such a schedule... their operations team is usually pretty on top of things. The remainder of these are not DNS problems at all, they're registry operations and RIR policy issues. For those I suggest you email the registration support contacts at RIPE and ARIN, and if that doesn't solve your issue, then I'd take it to their respective policy mailing lists. > 3. Even though my 158.108.0.0/16 netblock was ROAed, APNIC did not link > me to the ‘reverse’ DNSsec chain: > 3.1. Why? Because it’s a ‘Historical’ netblock, transferred from ARIN to > APNIC epochs ago. So, my ‘domain’ is with NIR (thank god), my ‘netblock’ > Whois is now with APNIC, but my ‘reverse’ is still with ARIN. > 3.2. If I want to hook into the ‘reverse’ DNSsec chain, who do I send my > DS key to? APNIC? ARIN? > 3.2.1. APNIC is not the SOA of 158.in-addr.arpa. > 3.2.2. I am no longer a ‘client’ of ARIN, the SOA of 158.in-addr.arpa. > [1]: <https://www.arin.net/participate/community/mailing_lists/>
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
