On 2015-05-12 08:43, Gilles Chehade wrote: > On Mon, May 11, 2015 at 10:37:20PM +0200, Johannes L??thberg wrote: > > On 11/05, Denis Fondras wrote: > > >> > > >>2- DNSSEC is still painful to setup, no one does it unfortunately :-/ > > >> > > > > > >More precisely, it is easy to setup and painful to manage :D > > > > > > > Well, BIND???s automatic signing gives you nothing to manage really. > > > > Well, it's is not too tricky but it requires being extra rigorous. > > For instance, a few days ago I realized that my ns2 was desynched from > my ns1, for some reason it was serving an older version of the zone. > > How did I realize ? > > Well, when people complained that they could no longer send me mail, and > they could no longer reach my website. > > Two months ago, it was because my keys had expired and when I regen-ed a > new set, I forgot to publish zsk/ksk at my registrar. > > > Sure in both case the error was on my side but switching to DNSSEC means > you no longer fail gracefully when there's a problem. So many people are > now using the Google DNS (sigh..) and any problem with your DNSSEC leads > their DNS to reply NXDOMAIN on your domain. >
Slightly OT, but other than setting up my own DNS caching resolver, what are the alternatives to these sort of public services? In particular, is there one that won't do this when DNSSEC fails? > > -- > Gilles Chehade > > https://www.poolp.org @poolpOrg > > -- > You received this mail because you are subscribed to [email protected] > To unsubscribe, send a mail to: [email protected] > -- Hugo Osvaldo Barrera A: Because we read from top to bottom, left to right. Q: Why should I start my reply below the quoted text?
signature.asc
Description: PGP signature
