Print

[snarked]

With the DNS root data being signed as of July 1, 2010, this got me thinking.  Will HE offer DNSSEC for our tunnels' reverse zones?  We already have may have 3 DNS servers for the reverse zones, but there's no place to add DS information....

Is this on the list of things to add?  Will it be ready in July?  Will HE secure its main reverse zone ("0.7.4.0.1.0.0.2.ip6.arpa")?  (And, will ns1.he.net ever get an IPv6 address?)


PS:  Demanding, aren't I?  ;-)

[broquea]

Maybe in the future, no changes to production equipment at this time.
NS1 gets one when you can promise that someone dual-stacked with broken IPv6 connectivity won't have issues when all authoritative NS are on both stacks.

[snarked]

Aside - regardin NS1 and IPv6:  Isn't that "their" problem, not yours?

DNSSEC:  :-(

(Not to say that I've implemented it either.  Even with BIND, it's not easy.)

[broquea]

And Google white-lists why?

Similar principal, we provide web hosting (and now DNS hosting) where our ns1-5 are the authoritative NS, so this configuration keeps the first/primary/etc NS available even to broken IPv6 configured machines, and thus our customers websites don't get a "slow" feel with waiting 30-60s for broken IPv6 connectivity to time out and perform lookups against our NS over IPv4.

[jimb]

Ironic how Teredo and 6to4, meant to speed IPv6 adoption, actually results in slowing it down because of the need to do things like this.

[HLFH]

Hello 


Any updates for DNSSEC support on Reverse IPv6 zones via HE?

Thanks,
HLFH

[snarked]

Although HE hasn’t updated this topic, I can say that all my zones, including reverse zones, are DNSSEC signed and seemed to be served properly, but there isn’t a delegation chain.  ISC shouldn’t have shut down its DLV function because of this, but it closed in 2017.

Providing signatures where the chain is lacking may be a bandwidth waste, but at least it doesn’t break the DNS.