Hey @weppos, this is gonna lead to lots of downtime and people turning off DNSSEC. It's also bad to train people to make changes like this in response to emails. Surely there's a better way?
-
-
Let's all turn off DNSSEC and be done with it for good. So much time wasted on this.
2 replies 1 retweet 6 likes -
Doesn't it still remain the best opportunity for having an auditable, cryptographically verified mechanism for integrity of authoritative DNS responses?
1 reply 0 retweets 0 likes -
-
Replying to @0xjosh @mdhardeman and
We encourage automatic key rotation, pretty much as
@letsencrypt encourages automatic cert replacement. We automatically rotate the key at the registry if we are the registrar. For hosted domains we can't. But we fire a webhook you can listen to, and swap the key programmatically1 reply 0 retweets 0 likes -
BTW we're always open to constructive feedback. We considered to extend the rotation period from 3d to ~7d (to allow some extra time). Perhaps that would help. Still, automation is the ultimate solution. In an ideal world, we should not worry about rotation. It should just work
2 replies 0 retweets 0 likes -
Replying to @weppos @iangcarroll
3 days is definitely too short; consider if the email arrives on a weekend or holiday. Also, you have to take into account the TTL of the DS record, which for .com is 24 hours. So you really only have 2 days to rotate with .com, not 3. Email ought to mention this.
1 reply 0 retweets 1 like
That said, I'm very skeptical that the security value of rotating the KSK every 90 days outweighs the cost to usability and availability when automation is not available. I would suggest not rotating the KSK unless you're the registrar or the registry supports CDS and CDNSKEY.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.