baknu
commented
2 years ago @mdavids: do all of the IP addresses of the .nl nameservers have valid RPKI ROA's?
Open baknu opened 2 years ago
baknu
commented
2 years ago @mdavids: do all of the IP addresses of the .nl nameservers have valid RPKI ROA's?
mdavids
commented
2 years ago No, only ns1.dns.nl and ns2.dns.nl, not ns3.dns.nl.
baknu
commented
2 years ago Okay, thanks. Any plans to also do RPKI for ns3.dns.nl?
mdavids
commented
2 years ago It's beyond our control, because ns3.dns.nl is operated by NIC.at / Rcode0. Last time we checked with them they where a little reluctant after some disappointing earlier experiences. But they are still intending to enable it at some point in time.
In the upcoming RPKI signing test we check for valid ROA's on the IP addresses of the webservers, mailservers, and nameservers (of the domain itself and of the MX domain). We do not test IP addresses of higher nameservers (e.g. TLD nameservers like for .nl and root nameservers).
In the future we might want to change this and also test for these higher nameservers. Before doing so, we should consider the added value in terms of security but also in terms of control (i.e. an enduser is probably not in a good position to set requirements on higher nameservers).