On Sat, Dec 14, 2013 at 05:26:01AM +0000, Viktor Dukhovni wrote: > On Sat, Dec 14, 2013 at 12:04:15AM -0500, John Allen wrote: > > > The main difficulty with server-side DANE is that your zone > > > must be DNSSEC signed. Deployment of DNSSEC is still fairly > > > thin. With a bit of luck DANE might motivate folks to consider > > > DNSSEC. > > > > My interest in TLSA was sparked by my looking for info when > > setting up my DNS with DNSSEC (still a work in progress). It > > seemed to provide a better level of security than the current > > standard practice. > > The trick is to find tools that make operating a DNSSEC zone > relatively painless. You get security, but it easier to mess > up leaving the zone with stale signatures and thus essentially > invisible to all DNSSEC-aware clients. By all means deploy > DNSSEC, but carefully.
Perhaps I am biased, but I use and recommend ISC BIND 9.9. The "auto-dnssec maintain;" zone option does most of the work. Used together with "update-policy local;" you get a simple means of updating your zone data with nsupdate(8). Another choice with 9.9 is inline signing, whereby zone files are maintained as before, and the signing takes place "inline". These features and others are all documented in the BIND 9 ARM: ftp://ftp.isc.org/isc/bind9/9.9.4-P1/doc/arm/Bv9ARM.ch04.html#dnssec.dynamic.zones Each of BIND 9.7, 9.8, and 9.9 had new features which slightly reduced the pain of DNSSEC. 9.10 won't be an exception. -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
