[Ach] DNSSEC and reference/mention to it
klaus.darilion at nic.at
Mon Feb 3 13:49:25 CET 2014
DNSSEC is IMO quite complicated to setup, at least more complicated than
HTTPS. Thus, I think it does not make sense to describe how to setup
DNSSEC for the various name servers. But for sure it would be nice to
have recommendations for the algorithm, the key length and, related to
the key length, the key rollover policy (shorter key length -> more
rollover). From maintenance work point of view, I suggest key lengths to
have KSK rollover every 2 years, ZSK rollover every 6 months.
Further, DANE howtos would be nice. But they should not be mixed, but
handled separately. DNSSEC is just a per-requisite for DANE.
More information about the Ach