DANE of SMTP Survey

• Previous message (by thread): DANE of SMTP Survey
• Next message (by thread): DANE of SMTP Survey
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 6/2/21 11:07, Jeroen Massar via NANOG wrote:

> As for solutions: better education, more improvements to the tools & making it easier. CDS records already help a lot. But we might also need to improve recovery mechanisms, as f-ups are made, and you don't want to be off this Internet thing for too long.

I think DNSSEC implementation needs to be made less scary for folk who 
are apprehensive, and broken down into two steps, where step 1 is most 
emphasized:

  * Enable DNSSEC on your resolvers. Does not require you to sign your
    zones. Does not require you to read up on what it takes to sign and
    maintain your zones. Does not require you to worry and test for the
    next 60 days whether DNSSEC will break your e-mail delivery, e.t.c.:

              dnssec-enable yes;
              dnssec-validation auto;

         Done! Two lines (BIND, in this case), and off you go.

  * Step 2 - take your time cluing up on getting your zone signed, and
    being part of the solution toward a more secure Internet. No
    pressure, at your pace.

Mark.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20210602/8cc3fba6/attachment.html>

• Previous message (by thread): DANE of SMTP Survey
• Next message (by thread): DANE of SMTP Survey
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]