Re: DANE of SMTP Survey

[Tom Ivar Helbekkmo via NANOG <nanog () nanog org>]

Jeroen Massar via NANOG <nanog () nanog org> writes:

> No, not even kidding. For many organisations DNSSEC is 'scary' and a
> burden as it feels 'fragile' for them.

Unfortunately, yes.  And those of us who use it know that this is a
myth.  With modern software, DNSSEC is quick and easy to set up, and
works just fine, with no reason for any problems.  The effort invested
is a very low price to pay for the added protection, both directly (by
making sure that spoofing attacks &c make resolving fail noticeably),
and through the various added mechanisms you can then apply, such as CAA
records.

> And replacing a DNS key can take a few moments, especially with
> caching of records etc.
> Thus downtime is then ensured.

Not if you do it right.  Add the new key, wait a while, then remove the
old key.  On installations I manage, this is scripted, and done from
cron, rotating ZSKs on a monthly basis.

> Combine that with many shops not having much DNS knowledge in the
> first place, they won't easily get their heads around that barrier.

Now that's a real problem.  If you're going to do X, you should have
someone on staff who knows enough about X to do it right, safely.

-tih
-- 
Most people who graduate with CS degrees don't understand the significance
of Lisp.  Lisp is the most important idea in computer science.  --Alan Kay