Dear Chris, Chris Thompson wrote on 02-02-2010 16:31:
I hope this is the appropriate place to raise this.
There are legacy network allocations whose reverse zone is managed via RIPE, but actually delegated from higher level reverse zones run by ARIN. To take a specific example, 131.111/16 is allocated to the University of Cambridge, we manage the delegation info for 111.131.in-addr.arpa via RIPE, but 131.in-addr.arpa belongs to ARIN.
Now 111.131.in-addr.arpa is signed (since September 2009), and currently registered at dlv.isc.org. Along with the other high-level ARIN reverse zones, 131.in-addr.arpa is also signed, and
https://www.arin.net/resources/dnssec/
indicates that they may be accepting signed delegations Fairly Soon Now (depending on what you think "the first part of 2010" means).
Is it understood yet how (or even if) this will work for legacy network allocations? Ideally, this would just be a matter of supplying RIPE with the "ds-rdata" attributes as described in
https://www.ripe.net/rs/reverse/dnssec/registry-procedure.html
and they would get transferred seamlessly into the ARIN zones (and signed there).
Yes, that's the idea. The RIRs are looking at necessary changes that need to be done to the management of the shared reverse zones to support this. There is no timeline yet, but we should have a better idea mid 2010. Regards, Andrei Robachevsky CTO, RIPE NCC