> On 30 Nov 2021, at 1:38 pm, John Levine <jo...@taugh.com> wrote: > > Can or should we offer advice on how to do this better, sort of like > RFC 8901 but one level of DNS expertise down?
The main advice that comes to mind is to use a DNS hosting provider with a proven (multi-year) record of doing DNSSEC reliably. If the DNS hosting provider where Cloudflare, Google, OVH, one.com, TransIP, ... the implementation would have been correct. Clearly Route 53 wasn't quite ready for prime time. It is not clear how we can help customers know which providers have solid implementations. I don't know of any mainstream certification programs that would do the job. -- Viktor. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop