Submission + - ARIN Implements DNSSEC (arin.net)
wmbetts writes: On 27 April, ARIN placed Delegation Signer (DS) records into in-addr.arpa
and ip6.arpa. Now DNSSEC validation will occur from the root down if you
properly set up your DNSSEC-aware recursive resolver.
For most DNSSEC-aware recursive resolver operators, nothing needs to be
done for this change to be in effect as long as you have configured your
DNSSEC-aware server to use ICANNâs trust anchor for the root zone. For
those who have used ARINâs trust anchors (in place since 2 July 2009) to
take advantage of DNSSEC before the root or in-addr.arpa was signed, you
MUST remove them within the next two months of this date. Otherwise,
DNSSEC validation may fail due to a KSK change to ARINâs zones.
Additionally, ARIN will also coordinate with Internet Systems Consortium,
Inc. (ISC) to remove ARIN's delegations from their DNSSEC Lookaside
Validation (DLV) registry after setting up these records in in-addr.arpa
and ip6.arpa.
The DS records will remain the same as the current trust anchor for the
next two months. After that time, ARIN will begin rolling a KSK for its
authoritative zones, which will cause any DNSSEC-enabled resolvers that
use ARINâs statically, configured trust anchors to fail.
For full details on DNSSEC at ARIN, refer to:
https://www.arin.net/resources/dnssec/
and ip6.arpa. Now DNSSEC validation will occur from the root down if you
properly set up your DNSSEC-aware recursive resolver.
For most DNSSEC-aware recursive resolver operators, nothing needs to be
done for this change to be in effect as long as you have configured your
DNSSEC-aware server to use ICANNâs trust anchor for the root zone. For
those who have used ARINâs trust anchors (in place since 2 July 2009) to
take advantage of DNSSEC before the root or in-addr.arpa was signed, you
MUST remove them within the next two months of this date. Otherwise,
DNSSEC validation may fail due to a KSK change to ARINâs zones.
Additionally, ARIN will also coordinate with Internet Systems Consortium,
Inc. (ISC) to remove ARIN's delegations from their DNSSEC Lookaside
Validation (DLV) registry after setting up these records in in-addr.arpa
and ip6.arpa.
The DS records will remain the same as the current trust anchor for the
next two months. After that time, ARIN will begin rolling a KSK for its
authoritative zones, which will cause any DNSSEC-enabled resolvers that
use ARINâs statically, configured trust anchors to fail.
For full details on DNSSEC at ARIN, refer to:
https://www.arin.net/resources/dnssec/
