Hi Viktor - just curious…
When you say “operate my own DNS”, do you mean your own DNS severs
at your location or maybe you manage your own zones via a DNS provider,
ISP, etc.? Or perhaps some other model of which I am not aware?
- - -
On 24 Jan 2022, at 23:19, Viktor Dukhovni wrote:
On Mon, Jan 24, 2022 at 10:29:26PM +0100, Maurizio Caloro wrote:
If your provider supports neither "TLSA" records, nor the generic
(unknown type) encoding, switch to a more competent DNS provider.
please, how did you solve this, also with an external provider, or
running
this task on your own bind server?
Not surprisingly, I operate my own DNS. But there are providers who
do
allow you to publish any and all DNS records, not just specific ones
they've choosen to "support". I don't have a list of these at my
fingertips. When evaluating a potential DNS provider make sure
they don't restrict your ability to publish records of your choice.
If you want DNSSEC, avoid NameCheap, they've ignored a bug report
about
incorrect denial of existence for over two years now.
Make your provider supports publication of resource records in RFC3597
form.
--
Viktor.
