It appears that Tom Ivar Helbekkmo via NANOG said:
>John Levine writes:
>
>> I have signed all 300 zones on my DNS servers, but only about half of
>> them have working DNSSEC because there is no practical way to install
>> the DS records.
>
>Sounds like ICANN, having told us for a very long time
John Levine writes:
> I have signed all 300 zones on my DNS servers, but only about half of
> them have working DNSSEC because there is no practical way to install
> the DS records.
Sounds like ICANN, having told us for a very long time that they want
DNSSEC everywhere, should attempt to get a
It appears that Tom Ivar Helbekkmo via NANOG said:
>Jeroen Massar via NANOG writes:
>
>> No, not even kidding. For many organisations DNSSEC is 'scary' and a
>> burden as it feels 'fragile' for them.
>
>Unfortunately, yes. And those of us who use it know that this is a
>myth. With modern
Jeroen Massar via NANOG writes:
> No, not even kidding. For many organisations DNSSEC is 'scary' and a
> burden as it feels 'fragile' for them.
Unfortunately, yes. And those of us who use it know that this is a
myth. With modern software, DNSSEC is quick and easy to set up, and
works just
On 6/3/21 23:41, babydr DBA James W. Laferriere wrote:
The Signing of the 'Zone' , Can the 'Zone' be signed by a
self-signed key ? Or MUST I (and others) rely on a external
certificate authority ?
Mind you I notice in rfc6487 (note(s)) about self-signed
certificates .
So
Hello Mr. Tinka & Mr. Andrews , Please see below .
On Thu, 3 Jun 2021, Mark Tinka wrote:
On 6/3/21 00:25, babydr DBA James W. Laferriere wrote:
The Below is to keep thread of thought accurate ...
On Wed, 2 Jun 2021, Mark Tinka wrote:
* Step 2 - take your time cluing up on
DANE works with self generated CERTs. The TLSA record provides the
cryptographic link back to the DNSSEC root.
--
Mark Andrews
> On 3 Jun 2021, at 22:32, babydr DBA James W. Laferriere
> wrote:
>
> Hello Mark ,
>
>> On Wed, 2 Jun 2021, Mark Tinka wrote:
>>> On 6/2/21 11:07, Jeroen
Hello Mark ,
On Wed, 2 Jun 2021, Mark Tinka wrote:
On 6/2/21 11:07, Jeroen Massar via NANOG wrote:
As for solutions: better education, more improvements to the tools & making
it easier. CDS records already help a lot. But we might also need to
improve recovery mechanisms, as f-ups
On 6/3/21 00:25, babydr DBA James W. Laferriere wrote:
Again , Will this handle the case of self-signed only ?
Not sure I understand your question, in both cases of recursion and
authoritative.
Mark.
On 6/3/21 04:53, Jeroen Massar via NANOG wrote:
Jeroen
(who has the majority of domains under my control DNSSEC signed,
but... not all; need to do the DANE part though still)
You and me both, on the DANE bit :-).
Mark.
[
The kicker about DNSSEC is in the dnsviz links, enjoy ;)
TLDR: As long as the very big providers don't demand DNSSEC / DANE, why bother
as a small network (just, be prepared to deploy when it starts affecting spam
scoring or your search rankings), but small networks do benefit unlike the
On Wed, Jun 2, 2021 at 8:54 AM Bjørn Mork wrote:
> Jeroen Massar via NANOG writes:
>
> > For many organisations DNSSEC is 'scary' and a burden as it feels
> > 'fragile' for them.
>
> For "many"? Can you name one that doesn't feel like that?
>
>
On 2021-06-02 15:47, Bjørn Mork wrote:
Jeroen Massar via NANOG writes:
For many organisations DNSSEC is 'scary' and a burden as it feels
'fragile' for them.
For "many"? Can you name one that doesn't feel like that?
Large organisations with 24/7 NOC teams where at least a few folks work
Jeroen Massar via NANOG writes:
> For many organisations DNSSEC is 'scary' and a burden as it feels
> 'fragile' for them.
For "many"? Can you name one that doesn't feel like that?
https://www.arin.net/vault/announcements/2019/20190204.html
On 6/2/21 11:07, Jeroen Massar via NANOG wrote:
As for solutions: better education, more improvements to the tools & making it
easier. CDS records already help a lot. But we might also need to improve recovery
mechanisms, as f-ups are made, and you don't want to be off this Internet thing
> On 20210601, at 15:15, Moritz Müller via NANOG wrote:
>
> Hi,
>
> DANE for SMTP is not deployed on large scale. Together with researchers from
> Seoul National University, Virginia Tech and the University of Twente, we
> would like to understand which challenges operators face when
Hi,
DANE for SMTP is not deployed on large scale. Together with researchers from
Seoul National University, Virginia Tech and the University of Twente, we would
like to understand which challenges operators face when deploying DANE for SMTP.
Also, we would like to understand how operators
17 matches
Mail list logo
