<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
On 17-Feb-22 04:06, G.W. Haywood wrote:<br>
<blockquote type="cite"
cite="mid:%3C9d13a6b-d52-fc51-ed31-46b314f16fc@jubileegroup.co.uk%3E">Hi
Grant,
<br>
<br>
On Thu, 17 Feb 2022, Grant Taylor wrote:
<br>
<br>
<blockquote type="cite">Please clarify if you are talking about
DNSSEC for your own zone that they are doing secondary transfers
of or if you are talking about DNSSEC for the IPv6's reverse DNS
namespace that they delegate to you.
<br>
</blockquote>
<br>
Ah, good point Grant.
<br>
<br>
The reverse zones are delegated to us but they aren't signed.
<br>
<br>
</blockquote>
<p>Yes, the issue with HE is that while they will delegate reverse
zones to you, they don't accept DS records. So you can sign your
zones, but there is no signature chain to the root.</p>
<p>Before ISC retired DLV, it was possible to use that path - and I
did. But unfortunately that ship has sailed. <br>
</p>
<p>dnsviz shows that HE hasn't signed its reverse zone. That would
be a prerequisite to DNSSEC for zones it delegates to customers,
as would be a mechanism for submitting DS records to HE.<br>
</p>
<p>The issue has been open for (almost) 12 years. I haven't seen
any updates from HE since the incoherent reply in the thread at <a
moz-do-not-send="true"
href="https://forums.he.net/index.php?topic=890.msg22055#msg22055"
class="moz-txt-link-freetext">https://forums.he.net/index.php?topic=890.msg22055#msg22055</a></p>
<p>It's rather difficult to exert pressure on a vendor that's
providing a free service. But enough polite requests might help.</p>
<p>Perhaps further discussion of this belongs elsewhere...it seems
to be wandering from BIND.<br>
</p>
<pre class="moz-signature" cols="72">Timothe Litt
ACM Distinguished Engineer
--------------------------
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.
</pre>
</body>
</html>