Hurricane Electric's IPv6 Tunnel Broker Forums

Advanced search  

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Author Topic: DNSSEC on Reverse IPv6 zones via HE?  (Read 2902 times)

snarked

  • Hero Member
  • *****
  • Posts: 758
DNSSEC on Reverse IPv6 zones via HE?
« on: April 21, 2010, 11:21:56 PM »

With the DNS root data being signed as of July 1, 2010, this got me thinking.  Will HE offer DNSSEC for our tunnels' reverse zones?  We already have may have 3 DNS servers for the reverse zones, but there's no place to add DS information....

Is this on the list of things to add?  Will it be ready in July?  Will HE secure its main reverse zone ("0.7.4.0.1.0.0.2.ip6.arpa")?  (And, will ns1.he.net ever get an IPv6 address?)


PS:  Demanding, aren't I?  ;-)
Logged

broquea

  • Sr. Network Engineer, HE.NET AS6939
  • Administrator
  • Hero Member
  • *****
  • Posts: 1718
Re: DNSSEC on Reverse IPv6 zones via HE?
« Reply #1 on: April 22, 2010, 12:03:03 AM »

Maybe in the future, no changes to production equipment at this time.
NS1 gets one when you can promise that someone dual-stacked with broken IPv6 connectivity won't have issues when all authoritative NS are on both stacks. :D
Logged

snarked

  • Hero Member
  • *****
  • Posts: 758
Re: DNSSEC on Reverse IPv6 zones via HE?
« Reply #2 on: April 22, 2010, 11:17:49 AM »

Aside - regardin NS1 and IPv6:  Isn't that "their" problem, not yours?

DNSSEC:  :-(

(Not to say that I've implemented it either.  Even with BIND, it's not easy.)
Logged

broquea

  • Sr. Network Engineer, HE.NET AS6939
  • Administrator
  • Hero Member
  • *****
  • Posts: 1718
Re: DNSSEC on Reverse IPv6 zones via HE?
« Reply #3 on: April 22, 2010, 12:12:35 PM »

And Google white-lists why? ;)

Similar principal, we provide web hosting (and now DNS hosting) where our ns1-5 are the authoritative NS, so this configuration keeps the first/primary/etc NS available even to broken IPv6 configured machines, and thus our customers websites don't get a "slow" feel with waiting 30-60s for broken IPv6 connectivity to time out and perform lookups against our NS over IPv4.
Logged

jimb

  • Hero Member
  • *****
  • Posts: 805
  • ^^^ Warped picture
Re: DNSSEC on Reverse IPv6 zones via HE?
« Reply #4 on: April 22, 2010, 03:40:12 PM »

Ironic how Teredo and 6to4, meant to speed IPv6 adoption, actually results in slowing it down because of the need to do things like this.
Logged

HLFH

  • Newbie
  • *
  • Posts: 1
Re: DNSSEC on Reverse IPv6 zones via HE?
« Reply #5 on: September 03, 2019, 03:34:53 AM »

Hello  :)


Any updates for DNSSEC support on Reverse IPv6 zones via HE?

Thanks,
HLFH
Logged

snarked

  • Hero Member
  • *****
  • Posts: 758
Re: DNSSEC on Reverse IPv6 zones via HE?
« Reply #6 on: September 04, 2019, 12:50:45 AM »

Although HE hasnít updated this topic, I can say that all my zones, including reverse zones, are DNSSEC signed and seemed to be served properly, but there isnít a delegation chain.  ISC shouldnít have shut down its DLV function because of this, but it closed in 2017.

Providing signatures where the chain is lacking may be a bandwidth waste, but at least it doesnít break the DNS.
Logged