2

I'm using bind9 and dnssec-keygen/dnssec-signzone. I've had no problem signing my forward zones however I cannot seem to find any documentation on signing reverse zones. What is the process for this?

justinzane
  • 181
  • 2
  • 13
  • Is it just me or does this not make sense? How could you possibly sign something like `2.2.4.in-addr.arpa`, unless you owned all of the addresses in that C class? – Vasili Syrakis Mar 13 '14 at 04:36
  • @VasiliSyrakis: I'm mystified as well. I would have presumed that given "10.11.12.13 IN A foo.bar.com." the reverse would be "13.12.11.10.in-addr.arpa IN PTR foo." but I'm having trouble understanding how one sets up DNSSEC for both forwrd and reverse. It seems silly -- to me -- to have signed forward and unsigned reverse, but there seems to be limited docs in the first few pages of Google results. – justinzane Mar 13 '14 at 04:56
  • My friend just told me that you first need the zone delegated to you from your ISP/provider. Is that done? – Vasili Syrakis Mar 13 '14 at 05:31
  • @VasiliSyrakis: Paperwork has been filed for that to happen for a couple of the addresses. Doing more reading last night, my *guess* is that generally only institutions registered with ARIN or the like end up signing their reverse zones. Thank you again. – justinzane Mar 13 '14 at 15:04

1 Answers1

1

The reason why there is no separate documentation for reverse zones is that reverse zones are just a subset of zones which there is plenty of documentation for. The thing that sets a reverse zone apart from other zones is how it is (typically) used, not how it actually operates.

Ie, the only thing that is actually different is that your typical lookup of a name inside a reverse zone is for type PTR and for a name which is the result of having mapped an IP address into a name based on the standardized convention of reversing the IP address and appending .in-addr.arpa or .ip6.arpa for IPv4 and IPv6 respectively. The reverse zone itself operates just the same as any other zone and neither the authoritative nameserver or the resolver server needs any special handling for this at all.

Håkan Lindqvist
  • 33,741
  • 5
  • 65
  • 90
  • that means we will be unable to sign a zone that is mapped to private IP and queryable only to that said private subnet, right? – John Greene Nov 11 '21 at 21:03