new | ask | show | jobs
thayne 5 hours ago  [ - ]

> If you own and host your own domain, it's probably very easy to have your DNS provider enable DNSSEC for you

It isn't that easy on AWS.

It also generally is not that easy if your domain registrar is not the same as your dns host, because it involves both parties. And some registrers don't have APIs for automatic certificate rotation, so you have to manually rotate the certs periodically.

kro 5 hours ago  [ - ]

I have a setup with separated dns and domain since 2021. Using a CSK with unlimited lifetime, I never had to rotate. And could easily also migrate both parts (having a copy of the key material)

Register only has public material

The master is bind9, and any semi-trusted provider can be used as slave/redundency/cdn getting zonetransfers including the RRsigs

thayne 2 hours ago  [ - ]

> Using a CSK with unlimited lifetime

Well in cases where I have had to deal with DNSSEC, I've had to rotate the KSK annually for compliance reasons.