DANE works with self generated CERTs. The TLSA record provides the cryptographic link back to the DNSSEC root.
-- Mark Andrews > On 3 Jun 2021, at 22:32, babydr DBA James W. Laferriere > <bab...@baby-dragons.com> wrote: > > Hello Mark , > >> On Wed, 2 Jun 2021, Mark Tinka wrote: >>> On 6/2/21 11:07, Jeroen Massar via NANOG wrote: >>> >>> As for solutions: better education, more improvements to the tools & making >>> it easier. CDS records already help a lot. But we might also need to >>> improve recovery mechanisms, as f-ups are made, and you don't want to be >>> off this Internet thing for too long. >> >> I think DNSSEC implementation needs to be made less scary for folk who are >> apprehensive, and broken down into two steps, where step 1 is most >> emphasized: >> >> * Enable DNSSEC on your resolvers. Does not require you to sign your >> zones. Does not require you to read up on what it takes to sign and >> maintain your zones. Does not require you to worry and test for the >> next 60 days whether DNSSEC will break your e-mail delivery, e.t.c.: >> >> dnssec-enable yes; >> dnssec-validation auto; >> >> Done! Two lines (BIND, in this case), and off you go. > > Will this handle the case of self-signed only ? > And as Jeroen Massar mentioned the resignation of a certificate is a tad > troubles some for both DNSSEC & DANE . > >> * Step 2 - take your time cluing up on getting your zone signed, and >> being part of the solution toward a more secure Internet. No >> pressure, at your pace. > > Again , Will this handle the case of self-signed only ? > >> Mark. > Tia , JimL > -- > +---------------------------------------------------------------------+ > | James W. Laferriere | System Techniques | Give me VMS | > | Network & System Engineer | 3237 Holden Road | Give me Linux | > | j...@system-techniques.com | Fairbanks, AK. 99709 | only on AXP | > +---------------------------------------------------------------------+