Quick question for those who have researched things more closely. I have signed all my forward zones and think I've crossed my I's and dotted my T's, but one thing I'm not sure of...
Are we supposed to setup signing for reverse dns zones?
Are we supposed to setup signing for reverse dns zones?
yes
Eric J Esslinger (eesslinger) writes:
Quick question for those who have researched things more closely. I have signed all my forward zones and think I've crossed my I's and dotted my T's, but one thing I'm not sure of...
Are we supposed to setup signing for reverse dns zones?
Hi Eric,
Let me reverse the question: why wouldn't you ?
Cheers,
Phil
Well it makes sense we should, just that all the examples, discussion, and such I've read dealt with forward records.
I guess I get to dig some more. Thanks.
you should practice the same diligence with all your DNS zones, either sign all of
them or none of them.
/bill
To the DNS, a zone is a zone. The terms "forward" and "reverse" as zone adjectives were invented by humans. 
The high-level view of signing the "reverse zones" is the same as for "forward zones."
Eric -
Your in-addr zone first needs to be signed and then the DS
records are put in the parent in-addr zone to link into the
signed IN-ADDR.ARPA hierarchy. In the ARIN region, this can
be done via the DNSSEC DS record management in ARIN Online or
via the RESTful provisioning interface.
ARIN DNSSEC Project overview: https://www.arin.net/resources/dnssec/
ARIN Online/DNSEC Tutorials: https://www.arin.net/knowledge/dnssec/index.html
FYI,
/John
John Curran
President and CEO
ARIN
(Presuming, of course, that you've got an ARIN assignment
or allocation. If you're in a provider-assigned block,
you'll need to chat with your ISP about the DS linkage
for your PTR zones... /John )
Thank you. That gives me information to work with, and I now have a solid understanding of what I need to do for the proper delegation setup. I'll have to talk to my current ISP for the blocks I currently have, though I don't believe they do dnssec at this time. I am expecting to get an Arin allocation shortly (and return their existing allocations to us) as we are going multihomed soon. I may just have to wait till then to get everything fully setup.
This message may contain confidential and/or proprietary information and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited.