Can we do a DNSSEC 101? [closed]
Posted
by
PAStheLoD
on Server Fault
See other posts from Server Fault
or by PAStheLoD
Published on 2011-02-15T14:44:49Z
Indexed on
2011/02/15
15:27 UTC
Read the original article
Hit count: 235
Please share your opinions, FAQs, HOWTOs, best practices (or links to the one you think is the best) and your fears and thoughts about the whole migration (or should I just call it a new piece of tech?).
Is DNSSEC just for DNS providers (name server operators)? What ought John Doe to do, who hosts johndoe.com at some random provider (GoDaddy, DreamHost and such)? Also, what if the provider's name server doesn't do automatic signing magic, can John do it manually? In a fire-and-forget way, without touching KSKs and ZSKs rollovers and updating and headaches?)
Does it bring any change regarding CERT records? Do browsers support it?
How come it became so complex? Why didn't they just merged it with SSL? DKIM is pretty straightforward, IANA/IETF could've opted for something like that. (Yes I know that creating a trust anchor would be still problematic, but browsers are already full of CA certs. So, they could've just let anyone get a cert for a domain for shiny green padlocks, or just generate one for a poor blue lock, put it into a TXT record, encrypt the other records and let the parent zone sign the whole for you with its cert.)
Thanks!
And for disclosure (it seemed like the customary thing to do around here), I've asked the same on the netsec subreddit.
© Server Fault or respective owner