On Mon, Jan 07, 2013 at 01:31:39AM +0000, Robin H. Johnson wrote: > If there are no problems reported in a week or two, I'm going to enable > this for the rest of our DNS zones, as well as registering the DS > records with the TLD. Thereafter, I'd also like to deploy DANE and SSH > fingerprints in DNS, and remove our reliance any elements of the CA > chain. I haven't heard any problems at all, so I have implemented it on another domain we own (it probably won't be renewed when it comes up, per trustees decisions): gentoo.be
In addition, I have the DS/DNSKEY with the .be domain registrar (the full-trust variant, instead of relying on the DLV lookaside trust repository). I also added in a DNAME entry of: dev.gentoo.be. DNAME dev.gentoo.org. So that I could create the following trust chain for testing purposes: http://dnsviz.net/d/mv78100.arm.dev.gentoo.be/dnssec/ If there are no problems reported by Jan 17th, I'm going to complete the DNSSEC configuration on gentoo.org and remaining delegated sub-domains. -- Robin Hugh Johnson Gentoo Linux: Developer, Trustee & Infrastructure Lead E-Mail : robb...@gentoo.org GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85
