On Thu, Apr 22, 2021, at 09:47, Viktor Dukhovni wrote:
My domain has been signed since 2014 without any disruptions, with justa modest monitoring script that has alerted me to pendign expiration(automated re-signing wasn't kicking in) a couple of times, well beforethe signatures expired. The bugs that resulted in resigning nothappening have been fixed for some time, and I don't have to expend anyenergy to keep DNSSEC running, it just works.
That's you - you're an expert in this field. Most people aren't. And yet - as you mention, you had a bug with automated re-signing failing and had to add monitoring.
Also, I suspect that the content of your zone is managed by... you.
Extrapolating from that to assume that everyone else in the world will have the same experience... maybe the tooling has become heaps better than when we looked in 2016, but the list of DNSSEC failures hasn't exactly trickled to zero - cdc.gov in the year 2021 being a nice example case:
Bron.
--
Bron Gondwana, CEO, Fastmail Pty Ltd
brong@xxxxxxxxxxxxxxxx