DNSSEC

Hi, I will split my answer to technologies:

Cryptographic side:
1. Private keys are lost or compromised.
2. Private keys were not rolled or rolled too long ago.
3. Cryptographic algorithms used for signing are no more secure.

DNS side:
1. You have changed SOA options.
2. You have added, changed or deleted resource records.

Fortunately, you may automate zone and resource records signing and keys rolling by creating and implementing signing policy in dns/bind916.

Please note that DNSSEC is very complicated and if something will go wrong your dns records will be rejected and your clients will not be able to reach your services. You need to keep an eye on every key roll, any change at root zone keys and never get through RRSIG validity period. Think twice before implementing DNSSEC.
 
ab2k said:
Hi, I will split my answer to technologies:

Cryptographic side:
1. Private keys are lost or compromised.
2. Private keys were not rolled or rolled too long ago.
3. Cryptographic algorithms used for signing are no more secure.

DNS side:
1. You have changed SOA options.
2. You have added, changed or deleted resource records.

Fortunately, you may automate zone and resource records signing and keys rolling by creating and implementing signing policy in dns/bind916.

Please note that DNSSEC is very complicated and if something will go wrong your dns records will be rejected and your clients will not be able to reach your services. You need to keep an eye on every key roll, any change at root zone keys and never get through RRSIG validity period. Think twice before implementing DNSSEC.
Click to expand...
Noted and thanks for the explaination.
 
You must log in or register to reply here.
Back
Top