| 1 |
On Mon, Jan 07, 2013 at 01:31:39AM +0000, Robin H. Johnson wrote: |
| 2 |
> If there are no problems reported in a week or two, I'm going to enable |
| 3 |
> this for the rest of our DNS zones, as well as registering the DS |
| 4 |
> records with the TLD. Thereafter, I'd also like to deploy DANE and SSH |
| 5 |
> fingerprints in DNS, and remove our reliance any elements of the CA |
| 6 |
> chain. |
| 7 |
I haven't heard any problems at all, so I have implemented it on another |
| 8 |
domain we own (it probably won't be renewed when it comes up, per |
| 9 |
trustees decisions): |
| 10 |
gentoo.be |
| 11 |
|
| 12 |
In addition, I have the DS/DNSKEY with the .be domain registrar (the |
| 13 |
full-trust variant, instead of relying on the DLV lookaside trust |
| 14 |
repository). |
| 15 |
|
| 16 |
I also added in a DNAME entry of: |
| 17 |
dev.gentoo.be. DNAME dev.gentoo.org. |
| 18 |
|
| 19 |
So that I could create the following trust chain for testing purposes: |
| 20 |
http://dnsviz.net/d/mv78100.arm.dev.gentoo.be/dnssec/ |
| 21 |
|
| 22 |
If there are no problems reported by Jan 17th, I'm going to complete the |
| 23 |
DNSSEC configuration on gentoo.org and remaining delegated sub-domains. |
| 24 |
|
| 25 |
-- |
| 26 |
Robin Hugh Johnson |
| 27 |
Gentoo Linux: Developer, Trustee & Infrastructure Lead |
| 28 |
E-Mail : robbat2@g.o |
| 29 |
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 |
Archives