On Mon, May 11, 2015 at 10:37:20PM +0200, Johannes L??thberg wrote: > On 11/05, Denis Fondras wrote: > >> > >>2- DNSSEC is still painful to setup, no one does it unfortunately :-/ > >> > > > >More precisely, it is easy to setup and painful to manage :D > > > > Well, BIND???s automatic signing gives you nothing to manage really. >
Well, it's is not too tricky but it requires being extra rigorous. For instance, a few days ago I realized that my ns2 was desynched from my ns1, for some reason it was serving an older version of the zone. How did I realize ? Well, when people complained that they could no longer send me mail, and they could no longer reach my website. Two months ago, it was because my keys had expired and when I regen-ed a new set, I forgot to publish zsk/ksk at my registrar. Sure in both case the error was on my side but switching to DNSSEC means you no longer fail gracefully when there's a problem. So many people are now using the Google DNS (sigh..) and any problem with your DNSSEC leads their DNS to reply NXDOMAIN on your domain. -- Gilles Chehade https://www.poolp.org @poolpOrg -- You received this mail because you are subscribed to [email protected] To unsubscribe, send a mail to: [email protected]
