DNSSec support #236
Comments
|
some best practises in respect to nsec3 are discussed in https://kb.isc.org/docs/dnssec-signed-zones-best-practice-guidance-for-nsec3-iterations -- which sound very reasonable. |
|
since #251 is merged now, closing this issue. there is likely some work to be done to use dnssec in the client, resolver, servers -- but this meta-issue does not really serve a purpose. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
there are two sides of the coin:
The latter involves some key management, currently I'd keep the keys online (due to dynamic updates) instead of offline. The different key algorithms should nowadays be implemented in the MirageOS ecosystem. For some protocols, DNSSec is crucial (though the root of trust is in a single key).
For the former, this is crucial if every deploying an open recursive resolver (to not make the ecosystem of open recursive resolvers more brittle), and is connected to #167. My intuition is that a stub resolver with tls (and dns over https) is more suitable at the moment than a recursor.
The text was updated successfully, but these errors were encountered: