DNSSEC signing

[mweinelt]

Investigate signing our zones with DNSSEC. This allows authenticity checks from the root zone down to our zone contents, by transitively verifying signatures.

This would prevent third-parties from tampering with our DNS records for resolvers that validate DNSSEC.

The risk is that mishandling DNSSEC can cause the zone to become unavailable until DNSSEC is fixed or TTLs expire.

Small survey among popular distros

• alpinelinux.org
• archlinux.org
• debian.org
• fedoraproject.org
• freebsd.org
• gentoo.org
• opensuse.org
• ubuntu.com

[vcunat]

With a good registrar that's just a matter of ticking a checkbox in the settings. I understand that people may not put lots of trust into them (registrars), but I'd say it's much better to let them sign than not sign at all. (for similar reasons like https gets used everywhere)

[SuperSandro2000]

I just wanted to note a common misconception which bate me pretty hard when introducing DNSSEC:
Rolling out DNSSEC without entering the key into the registrar makes some dns caching software make it ignore it while others treat it as a failure and things stop working.

[vcunat]

That's some kind of confusion. The way you phrase it doesn't make any sense to me. Either way, I write/maintain a resolver with DNSSEC validator as a part of my paid job, so I believe we can avoid such mistakes.

[mweinelt]

If you don't give your registrar the public key they are supposed to put into the parent zone then of course nothing works in a delegated setup.

If your registrar holds the keypairs and takes care of the signing that becomes a non-issue.