13 Dub
2025
13 Dub
'25
22:47
Hi Peter
Peter Thomassen via knot-dns-users <knot-dns-users(a)lists.nic.cz> wrote:
Thanks for your feedback.
Then it seems, that I do have to stick with an unsecured ip6.arpa zone, because OVH
doesn't support that for the time being. Even their own ip6.arpa zone isn't
secured [1], if I am not mistaken.
Thanks again and regards,
Michael
[1] https://dnsviz.net/d/0.d.1.4.1.0.0.2.ip6.arpa/dnssec/
On 4/13/25 22:17, Michael Grimm via knot-dns-users
wrote:
Oh, that list
includes RIPE NCC [1]. Does that mean: it is possible to bootstrap DNSSEC for my ip6.arpa
zone?
[...]
The way I read their docs is that they only use RFC 7344, which means you can use
CDS/CDNSKEY records in your zone to *update* your pre-existing DS records.
For configuring DS records for the first time ("bootstrap"), they would need to
support RFC 8078 and/or RFC 9615, but apparently they don't do that (yet?).
All of this of course only applies if your zone is delegated directly from a parent zone
run by RIPE. If it's delegated from an intermediate zone run by someone else,
you'll have to ask that operator.