DANE of SMTP Survey
Tom Ivar Helbekkmo
tih at hamartun.priv.no
Fri Jun 11 08:12:02 UTC 2021
Jeroen Massar via NANOG <nanog at nanog.org> writes:
> No, not even kidding. For many organisations DNSSEC is 'scary' and a
> burden as it feels 'fragile' for them.
Unfortunately, yes. And those of us who use it know that this is a
myth. With modern software, DNSSEC is quick and easy to set up, and
works just fine, with no reason for any problems. The effort invested
is a very low price to pay for the added protection, both directly (by
making sure that spoofing attacks &c make resolving fail noticeably),
and through the various added mechanisms you can then apply, such as CAA
records.
> And replacing a DNS key can take a few moments, especially with
> caching of records etc.
> Thus downtime is then ensured.
Not if you do it right. Add the new key, wait a while, then remove the
old key. On installations I manage, this is scripted, and done from
cron, rotating ZSKs on a monthly basis.
> Combine that with many shops not having much DNS knowledge in the
> first place, they won't easily get their heads around that barrier.
Now that's a real problem. If you're going to do X, you should have
someone on staff who knows enough about X to do it right, safely.
-tih
--
Most people who graduate with CS degrees don't understand the significance
of Lisp. Lisp is the most important idea in computer science. --Alan Kay
More information about the NANOG
mailing list