> On Thu, Apr 22, 2021, at 09:47, Viktor Dukhovni wrote: > > My domain has been signed since 2014 without any disruptions, with just > > a modest monitoring script that has alerted me to pendign expiration > > (automated re-signing wasn't kicking in) a couple of times, well before > > the signatures expired. The bugs that resulted in resigning not > > happening have been fixed for some time, and I don't have to expend any > > energy to keep DNSSEC running, it just works. > That's you - you're an expert in this field. Most people aren't. And yet - > as you mention, you had a bug with automated re-signing failing and had to add > monitoring. Once the DNSSEC support in Bind got to the point where it was able to handle most (but not all) expiration issues automatically, I decided to give DNSSEC a try. It's simple enough to configure it for basic domains, but I have a split-horizon setup, and that complicated things quite a bit. Another problem was that a long time back I took advantage of an absurdly low promotional price from a registrar that did (and AFAIK still doesn't) support DNSSEC. I opted to eat the cost for a couple of domains and migrated to a registrar that did (always a royal pain). I finally migrated the last of them mid-2020. However, in the process I managed to make a cut-and-paste error and ended up with one valid and one invalid DS record for one of my infrequently-used domains. Which was noticed by exactly nothing, including the DNSSEC testing tool I happened to use to validate my setup. Some time later I got a problem report from IANA. It seems that IANA has DNSSEC checking enabled on mail server, I assume because they have enabled DANE (although this was never 100% clear), and I happened to have used this domain for an internal list forwarding address. Unfortunately the error message IANA was seeing was misleading, so it took a bit of time to track down. And I still have work to do because Bind has added a number of options that I need to set, but before that can happen I need to upgrade Bind, and before that can happen I need to upgrade some other stuff. All this is for a total of 9 domains - a toy setup by any measure. I know a little (but not a lot) about the DNS infrastructure at Oracle, and the cost and complexity of migrating it to DNSSEC would be staggering. Ned
