On Tue, Aug 23, 2022 at 01:13:56AM -0400, Demi Marie Obenour wrote:
> You should definitely deploy DNSSEC, but only after you are able to
> deploy it properly. That means having procedures to avoid nasty DNSSEC-
> related downtime.
That's needlessly scary and non-specific. Rather, it means, that if
you're self-hosted:
* Having monitoring in place to check that all signatures in the
zone are valid and will not expire too soon. I use:
ldns-verify-zone -e P0Y0M3DT3H23M54S ...
* Having automated signing in place that should ensure that barring
unexpected issues, the above should never fail. Choose a nameserver
that:
+ Automates resigning and even periodic ZSK rollovers (e.g. the
signing policies in BIND 9.16 or later).
+ Possibly automates KSK rollovers as well, but unconditionally
waits for the matching parent zone DS records to show up before
retiring old keys (forever if need be).
- If the parent zone supports CDS/CDNSKEY probing (most don't
yet), that happens automatically.
- Otherwise periodically (but OK if delayed indefinitely) you
mirror the "CDS" records as the desired "DS" records via
your registrar, ideally they provide an "API" for this.
With just these, I've been self-hosting some signed domains since ~2014
with not a single outage.
If the tools still look intimidating, wait till they get easier to use,
or use a professional service (but presently avoid AWS Route 53, who
last I looked still need to fix some issues around empty non-terminals)
to operate the signed domain for you.
--
Viktor.
