Re: DANE of SMTP Survey

["babydr DBA James W. Laferriere" <babydr () baby-dragons com>]

        Hello Mark ,

On Wed, 2 Jun 2021, Mark Tinka wrote:
> On 6/2/21 11:07, Jeroen Massar via NANOG wrote:
>
> > As for solutions: better education, more improvements to the tools & making 
> > it easier. CDS records already help a lot. But we might also need to 
> > improve recovery mechanisms, as f-ups are made, and you don't want to be 
> > off this Internet thing for too long.
>
> I think DNSSEC implementation needs to be made less scary for folk who are 
> apprehensive, and broken down into two steps, where step 1 is most 
> emphasized:
>
> * Enable DNSSEC on your resolvers. Does not require you to sign your
>   zones. Does not require you to read up on what it takes to sign and
>   maintain your zones. Does not require you to worry and test for the
>   next 60 days whether DNSSEC will break your e-mail delivery, e.t.c.:
>
>              dnssec-enable yes;
>              dnssec-validation auto;
>
>         Done! Two lines (BIND, in this case), and off you go.

        Will this handle the case of self-signed only ?
	And as Jeroen Massar mentioned the resignation of a certificate is a tad 
troubles some for both DNSSEC & DANE .

> * Step 2 - take your time cluing up on getting your zone signed, and
>   being part of the solution toward a more secure Internet. No
>   pressure, at your pace.

        Again ,  Will this handle the case of self-signed only ?

> Mark.
                Tia ,  JimL
--
+---------------------------------------------------------------------+
| James   W.   Laferriere    | System    Techniques | Give me VMS     |
| Network & System Engineer  | 3237     Holden Road |  Give me Linux  |
| jiml () system-techniques com | Fairbanks, AK. 99709 |   only  on  AXP |
+---------------------------------------------------------------------+