Am 2014-10-01 18:37, schrieb William Stouder-Studenmund:
I learned about DANE recently and was excitedly talking to some operations friends of mine about it. Some of them work in shops that aren’t using DNSSEC yet, and DANE’s requirement of it would trigger push-back from management.
Primary nameservers like BIND or PowerDNS generate DNSSEC-resource records automagically. All you need to do is to handover your DSKEY/ZSK to your domain registry periodically. Usually you just have to Copy&Paste the new keys into your registrar's web-interface per quarter, half-year or year. Even my private domains are secured with DNSSEC/DANE by using a DNS-operator with managed DNSSEC. I only generate the TLSA-RRs myself when I change the TLS-certs every two years.
As a quick-start I suggest to use Shumon Huque's web-generator for TLSA-RRs (https://www.huque.com/bin/gen_tlsa). To reduce effort of changing TLSA-RRs when changing the TLS-certificate you can use CNAMES and wildcard-RRs pointing to ONE single TLSA-RR. For client-side I suggest a warning message in your shops to encourage users to install the CZNIC DNSSEC/TLSA Validator web browser add-on (https://www.dnssec-validator.cz/).
Renne -- Best regards, Rene Bartsch, B. Sc. Informatics _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
