[rmoriz]

I enabled DNSSEC a couple of years ago on my self hosted powerdns setup. I sign the zone locally, than build docker containers via SSH on the target nodes.

I made a mistake once and signed with wrong keys which then broke DANE. It‘s good to validate your DNSSEC (and DANE, CAA etc.) setup through external monitoring.

[nulltrace]

The key rollover part is what kills me about DNSSEC. I deal with key rotation in other contexts and it's already annoying, but at least if I mess up a TLS cert renewal the worst case is a browser warning. DNSSEC KSK rotation goes wrong and your whole domain stops resolving. And the old DS record is cached upstream so there's no quick fix.

[gucci-on-fleek]

> The key rollover part is what kills me about DNSSEC.

Key rollover is completely optional with DNSSEC (unlike with TLS where it's semi-mandatory). All of my domains use infinite lifetime DNSSEC keys, which probably isn't ideal from a security perspective, but it's still much better than no DNSSEC at all.

> but at least if I mess up a TLS cert renewal the worst case is a browser warning.

If you have HSTS enabled (which you probably should), then you're unable to bypass the browser warnings, so if you have a bad TLS certificate, then you'll be completely unable to connect to the website.

[unilynx]

At least the error goes away immediately, for everyone, once you fix the cert.

.net seems to serve DS records with at least 18 hours TTL. so worst case it takes your monitoring up 18 hours to notice your record was broken, and then another 18 hours before your fixed record is server everywhere.

[gzread]

Aren't you supposed to keep the old and new KSK records for a while? Sorry if it's a dumb question since I don't regularly do this myself.

Worst case you can put the old records back until you figure out how to generate the new ones correctly, right? (Assuming it's not too close to the expiry time)

[rmoriz]

„Pre-publish“ and „double signature“