DANE of SMTP Survey

babydr DBA James W. Laferriere babydr at baby-dragons.com
Wed Jun 2 22:25:08 UTC 2021


 	Hello Mark ,

On Wed, 2 Jun 2021, Mark Tinka wrote:
> On 6/2/21 11:07, Jeroen Massar via NANOG wrote:
>
>> As for solutions: better education, more improvements to the tools & making 
>> it easier. CDS records already help a lot. But we might also need to 
>> improve recovery mechanisms, as f-ups are made, and you don't want to be 
>> off this Internet thing for too long.
>
> I think DNSSEC implementation needs to be made less scary for folk who are 
> apprehensive, and broken down into two steps, where step 1 is most 
> emphasized:
>
> * Enable DNSSEC on your resolvers. Does not require you to sign your
>   zones. Does not require you to read up on what it takes to sign and
>   maintain your zones. Does not require you to worry and test for the
>   next 60 days whether DNSSEC will break your e-mail delivery, e.t.c.:
>
>              dnssec-enable yes;
>              dnssec-validation auto;
>
>         Done! Two lines (BIND, in this case), and off you go.

 	Will this handle the case of self-signed only ?
 	And as Jeroen Massar mentioned the resignation of a certificate is a tad 
troubles some for both DNSSEC & DANE .

> * Step 2 - take your time cluing up on getting your zone signed, and
>   being part of the solution toward a more secure Internet. No
>   pressure, at your pace.

 	Again ,  Will this handle the case of self-signed only ?

> Mark.
 		Tia ,  JimL
-- 
+---------------------------------------------------------------------+
| James   W.   Laferriere    | System    Techniques | Give me VMS     |
| Network & System Engineer  | 3237     Holden Road |  Give me Linux  |
| jiml at system-techniques.com | Fairbanks, AK. 99709 |   only  on  AXP |
+---------------------------------------------------------------------+


More information about the NANOG mailing list