• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

DNSSEC on Reverse IPv6 zones via HE?

Started by snarked, April 21, 2010, 11:21:56 PM

Previous topic - Next topic


With the DNS root data being signed as of July 1, 2010, this got me thinking.  Will HE offer DNSSEC for our tunnels' reverse zones?  We already have may have 3 DNS servers for the reverse zones, but there's no place to add DS information....

Is this on the list of things to add?  Will it be ready in July?  Will HE secure its main reverse zone ("")?  (And, will ns1.he.net ever get an IPv6 address?)

PS:  Demanding, aren't I?  ;-)


Maybe in the future, no changes to production equipment at this time.
NS1 gets one when you can promise that someone dual-stacked with broken IPv6 connectivity won't have issues when all authoritative NS are on both stacks. :D


Aside - regardin NS1 and IPv6:  Isn't that "their" problem, not yours?

DNSSEC:  :-(

(Not to say that I've implemented it either.  Even with BIND, it's not easy.)


And Google white-lists why? ;)

Similar principal, we provide web hosting (and now DNS hosting) where our ns1-5 are the authoritative NS, so this configuration keeps the first/primary/etc NS available even to broken IPv6 configured machines, and thus our customers websites don't get a "slow" feel with waiting 30-60s for broken IPv6 connectivity to time out and perform lookups against our NS over IPv4.


Ironic how Teredo and 6to4, meant to speed IPv6 adoption, actually results in slowing it down because of the need to do things like this.


Hello  :)

Any updates for DNSSEC support on Reverse IPv6 zones via HE?



Although HE hasn't updated this topic, I can say that all my zones, including reverse zones, are DNSSEC signed and seemed to be served properly, but there isn't a delegation chain.  ISC shouldn't have shut down its DLV function because of this, but it closed in 2017.

Providing signatures where the chain is lacking may be a bandwidth waste, but at least it doesn't break the DNS.


I have this concern too. I have a tunnel-connected site (no other viable option) that hosts an authoritative DNS server and I'd really like to secure rDNS for those addresses.


In the 12 years since this issue was raised, DNSSEC adoption has (slowly) increased - as have attacks on the DNS.

The work-around of ISC's DLV, which could provide an alternate trust path for orphaned signed reverse zones has been discontinued.

The technology for supporting DNSSEC has matured - including RFCs 7344 and 8078, which largely automate the process of updating parent zones via CDS/CDNSKEY records.

It would be helpful if DNSSEC support could be provided for reverse zones.