On 11/10/15 08:15, Alice Wonder wrote: > > On 11/10/2015 04:30 AM, Phil Stracchino wrote: >> This is where I admit that I haven't gotten around to DNSSEC signing >> yet. But then, mine is a very small domain with only one external IP. >> >> > > From my own personal experience, start with a very short TTL and do not > make TLSA records until you have a process down for rotating zone > signing keys that works. [...] > My DNS servers do DNSSEC validate so I at least get some MITM protection > even without postfix running in DANE mode.
I'm not even ready to look at TLSA yet. I'm actually still working on finishing up my DKIM setup. Does anyone have a favorite preferred information resource for a how-to on getting started with DNSSEC? -- Phil Stracchino Babylon Communications ph...@caerllewys.net p...@co.ordinate.org Landline: 603.293.8485
