It appears that Tom Ivar Helbekkmo via NANOG said:
>John Levine writes:
>
>> I have signed all 300 zones on my DNS servers, but only about half of
>> them have working DNSSEC because there is no practical way to install
>> the DS records.
>
>Sounds like ICANN, having told us for a very long time
John Levine writes:
> I have signed all 300 zones on my DNS servers, but only about half of
> them have working DNSSEC because there is no practical way to install
> the DS records.
Sounds like ICANN, having told us for a very long time that they want
DNSSEC everywhere, should attempt to get a
It appears that Tom Ivar Helbekkmo via NANOG said:
>Jeroen Massar via NANOG writes:
>
>> No, not even kidding. For many organisations DNSSEC is 'scary' and a
>> burden as it feels 'fragile' for them.
>
>Unfortunately, yes. And those of us who use it know that this is a
>myth. With modern
Jeroen Massar via NANOG writes:
> No, not even kidding. For many organisations DNSSEC is 'scary' and a
> burden as it feels 'fragile' for them.
Unfortunately, yes. And those of us who use it know that this is a
myth. With modern software, DNSSEC is quick and easy to set up, and
works just
On 6/3/21 23:41, babydr DBA James W. Laferriere wrote:
The Signing of the 'Zone' , Can the 'Zone' be signed by a
self-signed key ? Or MUST I (and others) rely on a external
certificate authority ?
Mind you I notice in rfc6487 (note(s)) about self-signed
certificates .
So
Hello Mr. Tinka & Mr. Andrews , Please see below .
On Thu, 3 Jun 2021, Mark Tinka wrote:
On 6/3/21 00:25, babydr DBA James W. Laferriere wrote:
The Below is to keep thread of thought accurate ...
On Wed, 2 Jun 2021, Mark Tinka wrote:
* Step 2 - take your time cluing up on
DANE works with self generated CERTs. The TLSA record provides the
cryptographic link back to the DNSSEC root.
--
Mark Andrews
> On 3 Jun 2021, at 22:32, babydr DBA James W. Laferriere
> wrote:
>
> Hello Mark ,
>
>> On Wed, 2 Jun 2021, Mark Tinka wrote:
>>> On 6/2/21 11:07, Jeroen
Hello Mark ,
On Wed, 2 Jun 2021, Mark Tinka wrote:
On 6/2/21 11:07, Jeroen Massar via NANOG wrote:
As for solutions: better education, more improvements to the tools & making
it easier. CDS records already help a lot. But we might also need to
improve recovery mechanisms, as f-ups
On 6/3/21 00:25, babydr DBA James W. Laferriere wrote:
Again , Will this handle the case of self-signed only ?
Not sure I understand your question, in both cases of recursion and
authoritative.
Mark.
On 6/3/21 04:53, Jeroen Massar via NANOG wrote:
Jeroen
(who has the majority of domains under my control DNSSEC signed,
but... not all; need to do the DANE part though still)
You and me both, on the DANE bit :-).
Mark.
[
The kicker about DNSSEC is in the dnsviz links, enjoy ;)
TLDR: As long as the very big providers don't demand DNSSEC / DANE, why bother
as a small network (just, be prepared to deploy when it starts affecting spam
scoring or your search rankings), but small networks do benefit unlike the
On Wed, Jun 2, 2021 at 8:54 AM Bjørn Mork wrote:
> Jeroen Massar via NANOG writes:
>
> > For many organisations DNSSEC is 'scary' and a burden as it feels
> > 'fragile' for them.
>
> For "many"? Can you name one that doesn't feel like that?
>
>
On 2021-06-02 15:47, Bjørn Mork wrote:
Jeroen Massar via NANOG writes:
For many organisations DNSSEC is 'scary' and a burden as it feels
'fragile' for them.
For "many"? Can you name one that doesn't feel like that?
Large organisations with 24/7 NOC teams where at least a few folks work
Jeroen Massar via NANOG writes:
> For many organisations DNSSEC is 'scary' and a burden as it feels
> 'fragile' for them.
For "many"? Can you name one that doesn't feel like that?
https://www.arin.net/vault/announcements/2019/20190204.html
On 6/2/21 11:07, Jeroen Massar via NANOG wrote:
As for solutions: better education, more improvements to the tools & making it
easier. CDS records already help a lot. But we might also need to improve recovery
mechanisms, as f-ups are made, and you don't want to be off this Internet thing
> On 20210601, at 15:15, Moritz Müller via NANOG wrote:
>
> Hi,
>
> DANE for SMTP is not deployed on large scale. Together with researchers from
> Seoul National University, Virginia Tech and the University of Twente, we
> would like to understand which challenges operators face when
16 matches
Mail list logo
