On Sat, Feb 07, 2026 at 03:02:46PM +0100, Dmitriy Alekseev via Postfix-users
wrote:
> but due to low level of dnssec spreading (as some tlds still fail to
> add ability for it, as well as domain owners not interested in
> enabling it even when they can).
Lack of TLD support is largely a thing of the past, all gTLDs and all
the major ccTLDs support DNSSEC, the only exceptions are a minority (77
out of 248) of less technically sophisticated ccTLDs:
ae al ao aq as ba bb bo bs cd cf cg ck cu cv cw dj do eg fk gb gf gh gm
gp gq gt gu hm im iq jm jo kh km kn kp mh mk mo mp mq mt mv mw mz ne ng
ni np nr om pa pf pk pn ps qa sd sl sm so st sv sy sz tc td tg tj tk to
va vg vi ye zw
and a handful (15 out of 61) of their related IDNA domains:
xn--d1alf xn--fzc2c9e2c xn--j1amh xn--lgbbat1ad8j xn--mgb9awbf
xn--mgba3a4f16a xn--mgbaam7a8h xn--mgbc0a9azcg xn--mgbpl2fh xn--mgbtx2b
xn--mix891f xn--node xn--ogbpf8fl xn--wgbl6a xn--ygbi2ammx
And keeping DNS zones correctly signed is also mostly a thing of the
past, since the current generation of authoritative servers fully
automate zone resigning, and even key rotation, if you set up a key
rotation policy (with just a bit of care to not choose a policy that
performs key rotation even if the matching DS records don't show up int
he parent zone).
> Don't need to forget about complexity in operation on dns changes on
> cert rotation or requirements to reuse same private key to not rotate
> tlsa I think it not get supported in other protocols and just CA trust
> is used.
There are robust tools to automate TLSA cert rotation and also
occasional key rollover, the knowledge to use them has sadly not yet
reached some the adopters. Too many HOWTO guides are giving rather
incomplete advice...
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
