On Sat, Dec 14, 2013 at 02:35:15PM -0600, /dev/rob0 wrote:
> > The trick is to find tools that make operating a DNSSEC zone
> > relatively painless. You get security, but it easier to mess
> > up leaving the zone with stale signatures and thus essentially
> > invisible to all DNSSEC-aware clients. By all means deploy
> > DNSSEC, but carefully.
>
> Perhaps I am biased, but I use and recommend ISC BIND 9.9. The
> "auto-dnssec maintain;" zone option does most of the work. Used
> together with "update-policy local;" you get a simple means of
> updating your zone data with nsupdate(8).
Thanks for the tip, the OP may find that helpful. Making use of
DNSSEC as transparent as possible to the administrator is key to
making it usable.
Since your zone is in fact DNSSEC signed, perhaps you should consider
enabling DANE for SMTP:
_25._tcp.mx3.nodns4.us. IN TLSA 3 1 1
FDC86639033F23BAB5B24DF459DE2742CF98FCB1BD747F71807C4DF294773323
_25._tcp.mx4.nodns4.us. IN TLSA 3 1 1
FDC86639033F23BAB5B24DF459DE2742CF98FCB1BD747F71807C4DF294773323
--
Viktor.
