I not speaking about problems in zone signing, but more about managing properly tlsa records and their propagation as well as monitoring that dane is working for end clients.
-- *Best Regards,* Dmitriy Alekseev DevOps Engineer On Sat, 7 Feb 2026, 15:20 Viktor Dukhovni via Postfix-users, < [email protected]> wrote: > On Sat, Feb 07, 2026 at 03:02:46PM +0100, Dmitriy Alekseev via > Postfix-users wrote: > > > but due to low level of dnssec spreading (as some tlds still fail to > > add ability for it, as well as domain owners not interested in > > enabling it even when they can). > > Lack of TLD support is largely a thing of the past, all gTLDs and all > the major ccTLDs support DNSSEC, the only exceptions are a minority (77 > out of 248) of less technically sophisticated ccTLDs: > > ae al ao aq as ba bb bo bs cd cf cg ck cu cv cw dj do eg fk gb gf gh gm > gp gq gt gu hm im iq jm jo kh km kn kp mh mk mo mp mq mt mv mw mz ne ng > ni np nr om pa pf pk pn ps qa sd sl sm so st sv sy sz tc td tg tj tk to > va vg vi ye zw > > and a handful (15 out of 61) of their related IDNA domains: > > xn--d1alf xn--fzc2c9e2c xn--j1amh xn--lgbbat1ad8j xn--mgb9awbf > xn--mgba3a4f16a xn--mgbaam7a8h xn--mgbc0a9azcg xn--mgbpl2fh xn--mgbtx2b > xn--mix891f xn--node xn--ogbpf8fl xn--wgbl6a xn--ygbi2ammx > > And keeping DNS zones correctly signed is also mostly a thing of the > past, since the current generation of authoritative servers fully > automate zone resigning, and even key rotation, if you set up a key > rotation policy (with just a bit of care to not choose a policy that > performs key rotation even if the matching DS records don't show up int > he parent zone). > > > Don't need to forget about complexity in operation on dns changes on > > cert rotation or requirements to reuse same private key to not rotate > > tlsa I think it not get supported in other protocols and just CA trust > > is used. > > There are robust tools to automate TLSA cert rotation and also > occasional key rollover, the knowledge to use them has sadly not yet > reached some the adopters. Too many HOWTO guides are giving rather > incomplete advice... > > -- > Viktor. 🇺🇦 Слава Україні! > _______________________________________________ > Postfix-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] >
_______________________________________________ Postfix-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
