Hacker News new | ask | show | jobs
by silisili 1118 days ago
Correcting mistakes is a pain point, but really applies to DNS as a whole rather than just DNSSEC.

I think a lot of the problem stems from people using really long TTLs for the keys, which used to be the standard advice.

That said, as someone who used to manage DNS and DNSSEC at a TLD level, I will admit that documentation and best practices are poor. I remember asking someone why it was this way, and he told me it was because people want to make money contracting, so were less than willing to make it accessible.

Once you understand what's happening, you can make a little cheat sheet and it's actually really simple. But it seems like everyone forges ahead their own way, myself included.
1 comments
esaym 1118 days ago
Show us your cheat sheet...
link
silisili 1117 days ago
I've been out of the business for seven years, and don't have much anymore as I've switched jobs a few times.

It was mainly around process and timings. Bind9 has a pretty good guide on it. The easy option is to just add the new key, let everything sign, then later(after at least a TTL period, probably longer to be safe) remove the old.

The other way, that we did, is to publish keys before you use them, then retain the old key after the signing key swap, for a TTL period each. That keeps the zone size small.

Lastly, don't roll a KSK and ZSK at the same time. It's doable, but not worth the dance in any situation.

That said, if you have any specific questions, I'm happy to help.

link