1 |
On Mon, Jan 07, 2013 at 01:31:39AM +0000, Robin H. Johnson wrote: |
2 |
> If there are no problems reported in a week or two, I'm going to enable |
3 |
> this for the rest of our DNS zones, as well as registering the DS |
4 |
> records with the TLD. Thereafter, I'd also like to deploy DANE and SSH |
5 |
> fingerprints in DNS, and remove our reliance any elements of the CA |
6 |
> chain. |
7 |
I haven't heard any problems at all, so I have implemented it on another |
8 |
domain we own (it probably won't be renewed when it comes up, per |
9 |
trustees decisions): |
10 |
gentoo.be |
11 |
|
12 |
In addition, I have the DS/DNSKEY with the .be domain registrar (the |
13 |
full-trust variant, instead of relying on the DLV lookaside trust |
14 |
repository). |
15 |
|
16 |
I also added in a DNAME entry of: |
17 |
dev.gentoo.be. DNAME dev.gentoo.org. |
18 |
|
19 |
So that I could create the following trust chain for testing purposes: |
20 |
http://dnsviz.net/d/mv78100.arm.dev.gentoo.be/dnssec/ |
21 |
|
22 |
If there are no problems reported by Jan 17th, I'm going to complete the |
23 |
DNSSEC configuration on gentoo.org and remaining delegated sub-domains. |
24 |
|
25 |
-- |
26 |
Robin Hugh Johnson |
27 |
Gentoo Linux: Developer, Trustee & Infrastructure Lead |
28 |
E-Mail : robbat2@g.o |
29 |
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 |