nanog mailing list archives
Re: DANE of SMTP Survey
From: Tom Ivar Helbekkmo via NANOG <nanog () nanog org>
Date: Fri, 11 Jun 2021 10:12:02 +0200
Jeroen Massar via NANOG <nanog () nanog org> writes:
No, not even kidding. For many organisations DNSSEC is 'scary' and a burden as it feels 'fragile' for them.
Unfortunately, yes. And those of us who use it know that this is a myth. With modern software, DNSSEC is quick and easy to set up, and works just fine, with no reason for any problems. The effort invested is a very low price to pay for the added protection, both directly (by making sure that spoofing attacks &c make resolving fail noticeably), and through the various added mechanisms you can then apply, such as CAA records.
And replacing a DNS key can take a few moments, especially with caching of records etc. Thus downtime is then ensured.
Not if you do it right. Add the new key, wait a while, then remove the old key. On installations I manage, this is scripted, and done from cron, rotating ZSKs on a monthly basis.
Combine that with many shops not having much DNS knowledge in the first place, they won't easily get their heads around that barrier.
Now that's a real problem. If you're going to do X, you should have someone on staff who knows enough about X to do it right, safely. -tih -- Most people who graduate with CS degrees don't understand the significance of Lisp. Lisp is the most important idea in computer science. --Alan Kay
Current thread:
- Re: DANE of SMTP Survey, (continued)
- Re: DANE of SMTP Survey babydr DBA James W. Laferriere (Jun 03)
- Re: DANE of SMTP Survey Mark Tinka (Jun 02)
- Re: DANE of SMTP Survey babydr DBA James W. Laferriere (Jun 04)
- Re: DANE of SMTP Survey Mark Tinka (Jun 08)
- Re: DANE of SMTP Survey Mark Andrews (Jun 03)
- Re: DANE of SMTP Survey Jeroen Massar via NANOG (Jun 02)
- Re: DANE of SMTP Survey Scott Morizot (Jun 02)
- Re: DANE of SMTP Survey Jeroen Massar via NANOG (Jun 02)
- Re: DANE of SMTP Survey Mark Tinka (Jun 02)
- Re: DANE of SMTP Survey John Levine (Jun 11)
- Re: DANE of SMTP Survey Tom Ivar Helbekkmo via NANOG (Jun 11)
- Re: DANE of SMTP Survey John Levine (Jun 11)