On Aug 13, 2008, at 10:21 AM, Ralf Weber wrote:
Hmm, assuming that we both did use the same name server software my
experiences are different. Compared to regular DNS setting up and more
importantly maintaining DNSSEC is much more work than normal DNS stuff
(zone resigning, key rollover) .
You're probably doing too much work. Why are you doing key
rollover? Why so often? Why not just use a longer key? Are you
trying for more security than you actually need? Are you that
careful with your SSL certs? And why aren't you signing your zone
with a cron job?
For me, the hardest problem about setting up a secure zone was simply
finding concise documentation on how to do it. I just set up a
secure zone in .se, and the total work time from deciding to do it to
having it done was about an hour, including:
- tracking down and reading Olaf's rather verbose but quite helpful
document on setting it up (http://www.nlnetlabs.nl/dnssec_howto/)
- debugging two problems with my zone that weren't DNSSEC-related,
but that the DNSSEC signer wouldn't allow
- finding a registrar who was happy to communicate with me in English,
since I don't speak Swedish (thanks, Patrik!)
- registering a new domain, not just setting up DNSSEC.
Maybe I did it wrong, but it seemed pretty easy to me. I think the
problem is just that people don't know how to do it, and overthink the
problem.
Oh, I just now signed two more of my top-level zones. 13 minutes to
do two of them, and this was doing it manually, with no shell scripts
to automate it. Of course, they're in .COM and .ORG, so there's no
trust anchor yet, but hopefully there will be some day.
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
