DNSSEC adoption
Mark Elkins
mje at posix.co.za
Wed Aug 3 16:43:31 UTC 2022
I generally agree with you - comments in line
On 8/3/22 5:56 PM, Peter wrote:
> I see a two-fold issue with DNSSEC:
>
> 1. The wide-spread tutorials seem to explain a key rollover as an
> exceptional activity, a *change* that is infrequently done. And
> changes, specifically the infrequent ones, bring along the
> possibility of failure, mostly due to human error.
Domains with Cloudflare seem to get Signed once -(KSK/DS - etc) and
that's it!
> I don't see reason why this is so. DNSSEC can be fully
> automated (mine is), and then it can be done frequently, and the
> human factor is out of the loop. It is then no longer a change,
> but a regular operation that happens every <week/month/quarter>
> without anybody even need noticing it.
> (Let'sEncrypt did the same for certificates, and that also works
> well.)
Both my DNSSEC and Let's Encrypt are totally automated as well. I
usually run two KSK's overlapping by 6 months - so plenty of "rollover"
time. Other domains, there is only a second KSK for a week or so.
> 2. TCP seems still to be considered a second-class-citizen in the
> DNS world. (If I got the details right, TCP is only "optional",
Agh! No. NOT OPTIONAL. One might see it as a fall-back for when UDP
fails (Truncated) but it is completely necessary!
> and must only be tried as a second choice after receiving TC.)
> So people may be induced to try and squeeze replies into whatever
> 512 or 1280 or 1500 bytes. Which means, they probably cannot use
> more than one key, and so take possible redundancy out of the game.
>
> I do not currently know about how or where this issue could be
> tackled appropriately; I for my part have decided to happily ignore
> it, and am using *four* KSK, thereby supporting RFC 5011 and RFC
> 7344, all with one simple script - and anyway now I have the longest;
> here you can see it in action: https://dnsviz.net/d/daemon.contact/dnssec/
> Let's see where this leads into problems; for now it appears not to.
>
> -- PMc
Fair enough. And Elliptical Curve (Algo 13 ???) - so much shorter.
ps - Algorithm rollovers can be fun!!!
--
Mark James ELKINS - Posix Systems - (South) Africa
mje at posix.co.za Tel: +27.826010496 <tel:+27826010496>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20220803/ede391c3/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xB6FA15470B82C101.asc
Type: application/pgp-keys
Size: 627 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20220803/ede391c3/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20220803/ede391c3/attachment.sig>
More information about the bind-users
mailing list