[Ach] DNSSEC and reference/mention to it

Klaus Darilion klaus.darilion at nic.at
Mon Feb 3 13:49:25 CET 2014


Hi!

DNSSEC is IMO quite complicated to setup, at least more complicated than 
HTTPS. Thus, I think it does not make sense to describe how to setup 
DNSSEC for the various name servers. But for sure it would be nice to 
have recommendations for the algorithm, the key length and, related to 
the key length, the key rollover policy (shorter key length -> more 
rollover). From maintenance work point of view, I suggest key lengths to 
have KSK rollover every 2 years, ZSK rollover every 6 months.

Further, DANE howtos would be nice. But they should not be mixed, but 
handled separately. DNSSEC is just a per-requisite for DANE.

regards
Klaus





More information about the Ach mailing list