DANE of SMTP Survey
babydr DBA James W. Laferriere
babydr at baby-dragons.com
Wed Jun 2 22:25:08 UTC 2021
Hello Mark ,
On Wed, 2 Jun 2021, Mark Tinka wrote:
> On 6/2/21 11:07, Jeroen Massar via NANOG wrote:
>
>> As for solutions: better education, more improvements to the tools & making
>> it easier. CDS records already help a lot. But we might also need to
>> improve recovery mechanisms, as f-ups are made, and you don't want to be
>> off this Internet thing for too long.
>
> I think DNSSEC implementation needs to be made less scary for folk who are
> apprehensive, and broken down into two steps, where step 1 is most
> emphasized:
>
> * Enable DNSSEC on your resolvers. Does not require you to sign your
> zones. Does not require you to read up on what it takes to sign and
> maintain your zones. Does not require you to worry and test for the
> next 60 days whether DNSSEC will break your e-mail delivery, e.t.c.:
>
> dnssec-enable yes;
> dnssec-validation auto;
>
> Done! Two lines (BIND, in this case), and off you go.
Will this handle the case of self-signed only ?
And as Jeroen Massar mentioned the resignation of a certificate is a tad
troubles some for both DNSSEC & DANE .
> * Step 2 - take your time cluing up on getting your zone signed, and
> being part of the solution toward a more secure Internet. No
> pressure, at your pace.
Again , Will this handle the case of self-signed only ?
> Mark.
Tia , JimL
--
+---------------------------------------------------------------------+
| James W. Laferriere | System Techniques | Give me VMS |
| Network & System Engineer | 3237 Holden Road | Give me Linux |
| jiml at system-techniques.com | Fairbanks, AK. 99709 | only on AXP |
+---------------------------------------------------------------------+
More information about the NANOG
mailing list