DNSSEC adoption

Mark Elkins mje at posix.co.za
Wed Aug 3 16:43:31 UTC 2022 

I generally agree with you - comments in line

On 8/3/22 5:56 PM, Peter wrote:
> I see a two-fold issue with DNSSEC:
>
> 1. The wide-spread tutorials seem to explain a key rollover as an
>     exceptional activity, a *change* that is infrequently done. And
>     changes, specifically the infrequent ones, bring along the
>     possibility of failure, mostly due to human error.

Domains with Cloudflare seem to get Signed once -(KSK/DS - etc) and 
that's it!


>     I don't see reason why this is so. DNSSEC can be fully
>     automated (mine is), and then it can be done frequently, and the
>     human factor is out of the loop. It is then no longer a change,
>     but a regular operation that happens every <week/month/quarter>
>     without anybody even need noticing it.
>     (Let'sEncrypt did the same for certificates, and that also works
>     well.)

Both my DNSSEC and Let's Encrypt are totally automated as well. I 
usually run two KSK's overlapping by 6 months - so plenty of "rollover" 
time. Other domains, there is only a second KSK for a week or so.


> 2. TCP seems still to be considered a second-class-citizen in the
>     DNS world. (If I got the details right, TCP is only "optional",

Agh! No. NOT OPTIONAL. One might see it as a fall-back for when UDP 
fails (Truncated) but it is completely necessary!


>     and must only be tried as a second choice after receiving TC.)
>     So people may be induced to try and squeeze replies into whatever
>     512 or 1280 or 1500 bytes. Which means, they probably cannot use
>     more than one key, and so take possible redundancy out of the game.
>
>     I do not currently know about how or where this issue could be
>     tackled appropriately; I for my part have decided to happily ignore
>     it, and am using *four* KSK, thereby supporting RFC 5011 and RFC
>     7344, all with one simple script - and anyway now I have the longest;
>     here you can see it in action: https://dnsviz.net/d/daemon.contact/dnssec/
>     Let's see where this leads into problems; for now it appears not to.
>
> -- PMc


Fair enough. And Elliptical Curve (Algo 13 ???) - so much shorter.

ps - Algorithm rollovers can be fun!!!

-- 

Mark James ELKINS  -  Posix Systems - (South) Africa
mje at posix.co.za       Tel: +27.826010496 <tel:+27826010496>



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20220803/ede391c3/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xB6FA15470B82C101.asc
Type: application/pgp-keys
Size: 627 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20220803/ede391c3/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20220803/ede391c3/attachment.sig>

More information about the bind-users mailing list