Just a heads up, DNSSEC is now live on *.dev.gentoo.org hosts.
There is a DLV anchor registered at dlv.isc.org, so all public DNSSEC lookups within the domain should work fine. Here's visualisation on my two test cases: http://dnsviz.net/d/dev.gentoo.org/dnssec/ http://dnsviz.net/d/mv78100.arm.dev.gentoo.org/dnssec/ If there are no problems reported in a week or two, I'm going to enable this for the rest of our DNS zones, as well as registering the DS records with the TLD. Thereafter, I'd also like to deploy DANE and SSH fingerprints in DNS, and remove our reliance any elements of the CA chain. I haven't implemented NSEC3 by way of a conscious choice. I don't see the need for any private information in our DNS records - simply obscuring them isn't really security. -- Robin Hugh Johnson Gentoo Linux: Developer, Trustee & Infrastructure Lead E-Mail : robb...@gentoo.org GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85
