Re: [CentOS] DNSSEC Questions

On 2/12/19 11:49 PM, Paul R. Ganci wrote: Okay so I misunderstood the message I was getting when I checked my DNSSEC setup via http://dnsviz.net/. What you are telling me is that all I had to do was re-sign the zone files but that it was not necessary to generate new keys. This point is definit

Re: [CentOS] DNSSEC Questions

On 2/13/19 3:51 AM, Alice Wonder wrote: I see you are using algorithm 7 - I would recommend switching to either algorithm 13 or at least to 8. Algorithm 7 uses a SHA1 hash. See https://tools.ietf.org/html/draft-ietf-dnsop-algorithm-update-04 That's a draft but soon will be an update to the st

Re: [CentOS] DNSSEC Questions

On 2/12/19 11:49 PM, Paul R. Ganci wrote: On 2/12/19 10:55 PM, Alice Wonder wrote: DNSSEC keys do not expire. Signatures do expire. How long a signature is good for depends upon the software generating the signature, some lets you specify. ldns I believe defaults to 60 days but I am not sure.

Re: [CentOS] DNSSEC Questions

On 2/12/19 10:55 PM, Alice Wonder wrote: DNSSEC keys do not expire. Signatures do expire. How long a signature is good for depends upon the software generating the signature, some lets you specify. ldns I believe defaults to 60 days but I am not sure. The keys are in DNSSKEY records that are

Re: [CentOS] DNSSEC Questions

On 2/12/19 7:26 PM, Paul R. Ganci wrote: Last weekend I had my DNSSEC keys expire. I discovered that they had expired the hard way... namely randomly websites could not be found and email did not get delivered. It seems that the keys were only valid for what I estimate was about 30 days. It is

[CentOS] DNSSEC Questions

Last weekend I had my DNSSEC keys expire. I discovered that they had expired the hard way... namely randomly websites could not be found and email did not get delivered. It seems that the keys were only valid for what I estimate was about 30 days. It is a real PITA to have update the keys, rest

[CentOS] DNSSEC deployment stats

Since it was discussed earlier, I thought some might find this link interesting : http://secspider.verisignlabs.com/stats.html It is a spider that crawls DNS servers counting both DNSSEC and TLSA records. ___ CentOS mailing list CentOS@centos.org ht

[CentOS] DNSSEC / Security stats (forked from php thread)

I don't have a source, I'd have to dig through my browser history, but I looked at some of these stats just last month. Roughly 2% of the top 1000 domains in the United States had deployed DNSSEC - which I *think* is double what it was a year ago. Roughly 7% of ISP recursive DNS servers enfor

Re: [CentOS] DNSSEC

Nataraj wrote: > m.r...@5-cent.us wrote: > >> Well, folks, >> >>There's an article on slashdot, >> >> >> Excerpt: >> ...the coming milestone of May 5, at 17:00 UTC --- at this time DNSSEC will >> be rolled out across all 13 root serv

Re: [CentOS] DNSSEC

m.r...@5-cent.us wrote: > Well, folks, > >There's an article on slashdot, > > > Excerpt: > ...the coming milestone of May 5, at 17:00 UTC --- at this time DNSSEC will > be rolled out across all 13 root servers. Some Internet users, espe

Re: [CentOS] DNSSEC

Drew wrote: > Behalf Of m.r...@5-cent.us > Sent: Friday, April 30, 2010 1:07 PM > >>There's an article on slashdot, >> > >> Excerpt: >> ...the coming milestone of May 5, at 17:00 UTC - at this time DNSSEC will >> be rolled out across a

Re: [CentOS] DNSSEC

entos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of m.r...@5-cent.us Sent: Friday, April 30, 2010 1:07 PM To: CentOS mailing list Subject: [CentOS] DNSSEC Well, folks, There's an article on slashdot, <http://tech.slashdot.org/article.pl?sid=10/04/30/1258234> E

[CentOS] DNSSEC

Well, folks, There's an article on slashdot, Excerpt: ...the coming milestone of May 5, at 17:00 UTC — at this time DNSSEC will be rolled out across all 13 root servers. Some Internet users, especially those inside corporations and beh