top | item 39376394

(no title)

The core problem with DNSSEC adoption has always been what happens when your ZSK/KSK expires, which it ought to for the same reason SSL certs expire.

Rolling this over in an automated fashion is desirable, as if this just happens to slip your mind, too bad, NXDOMAIN

This is obviously a non-starter for most people; otherwise this would just be automagic like letsencrypt is now.

CDS and CDNSKEY records basically solve this problem, but last I checked only a tiny minority of registrars implement them. Even then, some of them require things like 3-day windows in which the CDS/CDNSKEY must not change before they obey. It's basically a recipe for raising your blood pressure 10mmHg.

So, everyone ignores it for this very good reason. As long as it's essentially installing a landmine in your office chair nobody will touch it.

discuss

xz53|2 years ago

> The core problem with DNSSEC adoption has always been what happens when your ZSK/KSK expires, which it ought to for the same reason SSL certs expire.

For most users there's really no reason for a ZSK/KSK split or rolling keys, much the same as there's no need for rolling SSH keys for most users.