Mukund Sivaraman <[email protected]> wrote: > On Fri, Nov 02, 2018 at 02:30:15PM -0400, Viktor Dukhovni wrote: > > > > To move DNSSEC adoption higher, CDS/CDNSKEY/... need to be supported > > by most registries and the signing and key rollover tooling needs > > to become less brittle and more user-friendly.
Yes! > > Updates of ZSKs are still too manual. For example, BIND's "auto-dnssec > > maintain" should be able to automatically generate new ZSKs on > > master server from time to time, completely without user intervention. Knot DNS's automated key handling is quite a lot further ahead in usability. It's a great example. > There is a part-protocol part-tooling issue in DNSSEC. A mistake in > configuration (operator) or software bug (developer) is capable of > making validation of answers unusable (DoS) for a long period of time. I hope that better automation will make it harder to make mistakes, especially since the automation should includes checks to prevent bad configurations from screwing things up. Bugs notwithstanding :-) Tony. -- f.anthony.n.finch <[email protected]> http://dotat.at/ Plymouth: South 5, increasing 6 or 7, perhaps gale 8 later. Moderate or rough. Rain at times. Good, occasionally poor. _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
