Future of BIND's built-in empty zone list

Chris Thompson cet1 at cam.ac.uk
Sun May 17 15:30:01 UTC 2015

On May 16 2015, Mark Andrews wrote:
>When IANA and ARIN finally gets around to doing 64.100.IN-ADDR.ARPA
>et al., which has been waiting over a year for the of DNSOP to write
>up the last call of draft-ietf-dnsop-rfc6598-rfc6303 to be written
>up, it should be done similar to this with a insecure delegation
>to 64.100.IN-ADDR.ARPA, to allow the ISP's using this range and
>others to server their own instances of 64.100.IN-ADDR.ARPA without
>DNSSEC validation failures, and a DNAME to the AS112 traffic sink
>for the leaked traffic.
>64.100.IN-ADDR.ARPA  SOA ...
>64.100.IN-ADDR.ARPA  NS ...
>64.100.IN-ADDR.ARPA  NS ...
>Note: there are no DNSKEY records.  This is deliberate.

I notice, however, that this is not what RFC 7535 suggests (e.g. for
the similar case of 2.0.192.IN-ADDR.ARPA). Instead a DNAME directly
in the (signed) parent zone is described.

Would this actually break a validating resolver with a locally defined
(unsigned) empty zone 2.0.192.IN-ADDR.ARPA ? The parent zone can produce
a proof that there is no signed delegation, but only by revealing the
signed DNAME.

Chris Thompson
Email: cet1 at cam.ac.uk

More information about the bind-users mailing list