Internet.nl icon indicating copy to clipboard operation
Internet.nl copied to clipboard
verified publisher icon internetstandards

RPKI test for higher nameservers (like for TLD and root)

Open baknu opened this issue 4 years ago • 4 comments

In the upcoming RPKI signing test we check for valid ROA's on the IP addresses of the webservers, mailservers, and nameservers (of the domain itself and of the MX domain). We do not test IP addresses of higher nameservers (e.g. TLD nameservers like for .nl and root nameservers).

In the future we might want to change this and also test for these higher nameservers. Before doing so, we should consider the added value in terms of security but also in terms of control (i.e. an enduser is probably not in a good position to set requirements on higher nameservers).

baknu avatar Nov 01 '21 09:11 baknu

@mdavids: do all of the IP addresses of the .nl nameservers have valid RPKI ROA's?

baknu avatar Nov 01 '21 11:11 baknu

No, only ns1.dns.nl and ns2.dns.nl, not ns3.dns.nl.

mdavids avatar Nov 01 '21 11:11 mdavids

Okay, thanks. Any plans to also do RPKI for ns3.dns.nl?

baknu avatar Nov 01 '21 11:11 baknu

It's beyond our control, because ns3.dns.nl is operated by NIC.at / Rcode0. Last time we checked with them they where a little reluctant after some disappointing earlier experiences. But they are still intending to enable it at some point in time.

mdavids avatar Nov 01 '21 11:11 mdavids