On Fri, Oct 3, 2014 at 5:38 AM, Rene Bartsch <[email protected]> wrote: > Am 2014-10-01 18:37, schrieb William Stouder-Studenmund: >> >> I learned about DANE recently and was excitedly talking to some >> operations friends of mine about it. Some of them work in shops that >> aren’t using DNSSEC yet, and DANE’s requirement of it would trigger >> push-back from management. > > > Primary nameservers like BIND or PowerDNS generate DNSSEC-resource records > automagically.
Yup. > All you need to do is to handover your DSKEY/ZSK to your > domain registry periodically. Yup. > Usually you just have to Copy&Paste the new > keys into your registrar's web-interface per quarter, half-year or year. Which gets annoying *really* fast. May I introduce you to RFC7344 - Automating DNSSEC Delegation Trust Maintenance (http://tools.ietf.org/html/rfc7344) Ask your favorite name server vendor to implement this -- basically it automates rolling over of your keys, by having the old key introduce the new one. W > Even my private domains are secured with DNSSEC/DANE by using a DNS-operator > with managed DNSSEC. I only generate the TLSA-RRs myself when I change the > TLS-certs every two years. > > As a quick-start I suggest to use Shumon Huque's web-generator for TLSA-RRs > (https://www.huque.com/bin/gen_tlsa). To reduce effort of changing TLSA-RRs > when changing the TLS-certificate you can use CNAMES and wildcard-RRs > pointing to ONE single TLSA-RR. For client-side I suggest a warning message > in your shops to encourage users to install the CZNIC DNSSEC/TLSA Validator > web browser add-on (https://www.dnssec-validator.cz/). > > > Renne > > > -- > Best regards, > > Rene Bartsch, B. Sc. Informatics > > > _______________________________________________ > dane mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dane -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
