DANE works with self generated CERTs. The TLSA record provides the cryptographic link back to the DNSSEC root. -- Mark Andrews
On 3 Jun 2021, at 22:32, babydr DBA James W. Laferriere <babydr@baby-dragons.com> wrote:
Hello Mark ,
On Wed, 2 Jun 2021, Mark Tinka wrote:
On 6/2/21 11:07, Jeroen Massar via NANOG wrote:
As for solutions: better education, more improvements to the tools & making it easier. CDS records already help a lot. But we might also need to improve recovery mechanisms, as f-ups are made, and you don't want to be off this Internet thing for too long.
I think DNSSEC implementation needs to be made less scary for folk who are apprehensive, and broken down into two steps, where step 1 is most emphasized:
* Enable DNSSEC on your resolvers. Does not require you to sign your zones. Does not require you to read up on what it takes to sign and maintain your zones. Does not require you to worry and test for the next 60 days whether DNSSEC will break your e-mail delivery, e.t.c.:
dnssec-enable yes; dnssec-validation auto;
Done! Two lines (BIND, in this case), and off you go.
Will this handle the case of self-signed only ? And as Jeroen Massar mentioned the resignation of a certificate is a tad troubles some for both DNSSEC & DANE .
* Step 2 - take your time cluing up on getting your zone signed, and being part of the solution toward a more secure Internet. No pressure, at your pace.
Again , Will this handle the case of self-signed only ?
Mark. Tia , JimL -- +---------------------------------------------------------------------+ | James W. Laferriere | System Techniques | Give me VMS | | Network & System Engineer | 3237 Holden Road | Give me Linux | | jiml@system-techniques.com | Fairbanks, AK. 99709 | only on AXP | +---------------------------------------------------------------------+