Twelve years ago I was invited to present on #DNSSEC in Moscow. Quite the show actually: we had simulataneous translators (think: EU parliament) who translated my English to Russian and back for questions from the audience.
Imagine my surprise when I met @krisbuytaert there: he too had been invited to give a talk.
The stay was great: it allowed me to brush up on my Russian: I learned how to pronounce 'nyet'.
"Because of the lack of clear signals of general adoption of DNSSEC over three decades, is it time to acknowledge that DNSSEC is just not going anywhere? Is it time to call it a day for DNSSEC and just move on?"
@jpmens@bortzmeyer@icing I also think software has matured and more and more RFCs/drafts help automating #DNSSEC (hence reducing human errors which account for a lot of outages).
To do a parallel, #HTTPS was widely adopted only when the proper protocols and tooling (ACME) to automate X.509 certificates management were reliable.
We are are only (slowly) getting there with #DNSSEC.
@shane_kerr@jpmens I just had the opposite train of thought: (aggressively) discard all cached entries when I know a zone has been updated (increased ZONEVERSION).
Maybe this could make the CDNs stop using dramatically low #DNS TTLs on all their records, just in case they might update their zone (or we could more comfortably use higher min-ttl values).
I also some potential to limit of outages caused by #DNSSEC bad practice.
This is quite rare - the C root-servers are out of sync with the rest of the world by 3 days. Since that time there have been no changes in the root zone, except for DNSSEC signature updates. It appears all C instances (operated by #cogent) are serving an outdated zone. For now this has no operational impact, but that might change #DNSSEC
»Cloudflare-Alternative:
19 Cloudflare-Alternativen im Überblick«
Hat jemensch von euch Erfahrung mit eines diesen Alternativen oder gar sogar mit einer nicht aufgeführten? Wenn ja, welches könnt ihr aus welchen Argumente und Gründen empfehlen?
(Ich zweifle immer noch welches am "sichersten" und "daten sparsam" ist)
"DNSSEC Bootstrapping allows the child zone operator to publish a signed copy of the child’s CDS/CDNSKEY records under a different name that has an existing chain of trust."
Montag. #DANE-Fehler "Server certificate not trusted." Wie vor 60 Tagen schon mal.
Also Anruf beim Dienstleister. "da müssen wir manuell nachjustieren." seufz
"Für eine permanente Lösung müssten wir auf ein Zertifikat umstellen, das manuell erneuert wird, was nicht praktikabel ist oder den TLSA-Record automatisch anpassen, was aktuell von unseren internen Policies nicht unterstützt wird. Da die Verfügbarkeit von DANE statistisch keine Auswirkung auf unseren Mailtraffic zeigt, erwägen wir auch den TLSA-Record gänzlich zu entfernen."
We have new KSK for the root!
Today a mega ceremony was held where new HSMs were introduced and a new root key was generated in them. This key will be pre-publicated at the end of this year, and the rollover will be at the end of 2026. It'll be the third in the history of the DNS. The first was in 2010 and the second in 2017. #dns#dnssec