On 05. 11. 18 19:30, Tony Finch wrote: > Mukund Sivaraman <[email protected]> wrote: >> On Fri, Nov 02, 2018 at 02:30:15PM -0400, Viktor Dukhovni wrote: >>> >>> To move DNSSEC adoption higher, CDS/CDNSKEY/... need to be supported >>> by most registries and the signing and key rollover tooling needs >>> to become less brittle and more user-friendly. > > Yes! > >>> Updates of ZSKs are still too manual. For example, BIND's "auto-dnssec >>> maintain" should be able to automatically generate new ZSKs on >>> master server from time to time, completely without user intervention. > > Knot DNS's automated key handling is quite a lot further ahead in > usability. It's a great example.
Details for reference: https://www.knot-dns.cz/docs/2.7/html/configuration.html#dnssec-automatic-ksk-management or here http://ripe75.ripe.net/wp-content/uploads/presentations/123-CDNSKEY-FRED-KNOT-RIPE75.pdf (including the registry side) >> There is a part-protocol part-tooling issue in DNSSEC. A mistake in >> configuration (operator) or software bug (developer) is capable of >> making validation of answers unusable (DoS) for a long period of time. > > I hope that better automation will make it harder to make mistakes, > especially since the automation should includes checks to prevent bad > configurations from screwing things up. Bugs notwithstanding :-) Automation will certainly help, e.g. with problems like http://smoogespace.blogspot.com/2017/09/fedora-project-outage-rca-dns-outage.html -- Petr Špaček @ CZ.NIC _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
