[GTALUG] Checking for DNSSEC
Christopher Browne
cbbrowne at gmail.com
Thu Aug 30 13:35:22 EDT 2018
Thanks, Gord!
The one thing of interest that I noted in the "DNS Check"
(https://zonemaster.iis.se) for GTALUG.org was that our DNS hosting
via Gandi has perhaps insufficient diversity. To wit, there are
several warnings similar to "All nameservers in the delegation have
IPv4 addresses in the same AS (29169)."
I don't think we'd win much by adding an extra delegation separate
from Gandi (e.g. - adding an extra nameserver elsewhere) in practice,
given that we only have one server anyways. That would likely require
we publish our DNS information in a more complex fashion, essentially
duplicating all changes, and I think that would lead to the risk of us
But it seems to me as though Gandi would be able to help their
customers if they had one of their nameservers be located somewhere
else than inside ASN 29169.
FYI, Firefox complains about the Verisign verifier
(https://dnssec-analyzer.verisignlabs.com/) being insecure due to
using Symantec signatures.
I wonder if we should consider setting up gtalug.org to use DNSSEC;
that's a question to consider at an Ops meeting some time...
More information about the talk
mailing list