On 2022-08-22 14:46, Viktor Dukhovni wrote:
[..]
You don't need to sign your own domain in order to secure outbound
traffic
to domains that others have signed. You just need a local validating
resolver such as "unbound", with DNSSEC validation turned on.
Ok, yeah I was thinking more of DANE for my own domains rather than
validating others.
My take is that the person in question likes being a cult leader,
dispensing wisdom to adherents, who then, along with the leader, get to
feel superior to the uninitiated masses.
Interesting! I have no idea who that person is just came across that
post in a comment on a website somewhere years ago, I had read others
complain about DNSSEC but hadn't seen what appeared to be as fairly
organized specific thoughts on the subject rather than a one liner
that they hate DNSSEC without saying why.
The tooling around DNSSEC has significantly improved recently, making
hands-off auto-pilot operation much simpler in e.g. BIND 9.16 and
later.
Or you can get your domain professionally operated by Google, one.com,
OVH, ... who operate millions of signed domains with no issues.
I checked and I do have BIND 9.16 where I host my domains(on my own
servers). I'll think about it more, my home setup is quite simple I
haven't invested much time in it since before 2010 probably(other
than OS updates and stuff to keep it going).
I have been using Dyn DNS for work related DNS stuff since about 2009,
even though Oracle keeps saying they plan to retire the legacy Dyn
stuff(and say the newer Oracle cloud DNS uses the same Dyn backend),
it's still alive until May 2023 at least.
In any case, outbound DANE does not require anything non-trivial on
your
end.
Good to know, thanks!!
nate
