Re: [DNSOP] New draft: Algorithm Negotiation in DNSSEC

Mon, 10 Jul 2017 13:12:33 -0700 

On Mon, 2017-07-10 at 13:50 -0400, Bob Harold wrote:

> On Tue, Jul 4, 2017 at 11:42 AM, Shumon Huque <shu...@gmail.com>
> wrote:
> > Hi folks,

...

> And perhaps a really dumb off-topic question:
> I do not use DNSSEC yet, mostly due to time and effort, secondly due
> to concern over the additional size and processing.  Is it possible
> for me to start with a new, rarely implemented, algorithm with
> shorter records, that most resolvers won't understand yet, and have
> those that don't understand it treat the zone as unsigned?  Or will
> it break everything?  (Section 5 sounds like it breaks)

There is not much at all involved in time or effort any more.

I use to manually sign my zones but I've shift over to having "bind"
just manage all my keysigning and I just update the zone and it
happens.  You just set up your initial keys and register your KSK (Key
Signing Key) with your registraur (assuming they support it) and you
should be good to go.  Rolling your KSK's is still (cough) entertaining
but not essential if you're just getting your feet wet. 

Some registraurs support this and some don't.  Some will support DNSsec
for the zones but then require you to "self host" your DNS (optionally
slaving from your master).  I self host and always have.  I also use
Hurricane Electric for additional slaves.  They've gotten much better
at DNSsec though they won't manage it for their hosted zones. 
DreamHost is another one that will support registration but you have to
self host your master (which then becomes problematical if you want
them to host your web site).  If you want the hosting company to manage
DNSsec for you, good luck.  There are some registraurs (some very big
ones) that still don't support DNSsec or only support it as a "premium"
feature and you should just kick them to the curb.

Over all, it's gotten a lot easier and really not a big deal.  Biggest
challenge is getting your IT department to spell DNSsec.  :-P

Mike

> -- 
> Bob Harold

-- 
Michael H. Warfield (AI4NB) | (706) 850-8770 |  m...@wittsend.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
ARIN whois: ARIN-MHW9       | An optimist believes we live in the best of all
PGP Key: 0xC0EB9675674627FF | possible worlds.  A pessimist is sure of it!

Attachment: signature.asc
Description: This is a digitally signed message part

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to