In the ongoing battle of site improvements and shoring up security, I finally managed to scratch a long-standing itch and signed the soylentnews.org domain. As of right now, our chain is fully validated and pushed to all our end-points.
Right now, I'm getting ready to dig in with TheMightyBuzzard to work on improving XSS protection for the site, and starting to lay out new site features (which will be in a future post). As with any meta post, I'll be reading your comments below.
~ NCommander
(Score: 2) by NCommander on Thursday August 25 2016, @06:53PM
DNSSEC isn't bad if you're using your own BIND master. Just make a signing key and turn on inline signing. Problem solved.
Just make sure you generate RSASHA256 keys vs. the default of SHA1 ones.
Still always moving
(Score: 2) by ledow on Thursday August 25 2016, @07:39PM
But if you're not using your own BIND master, it's an absolute pain in the butt.
I find it disappointing that most domain hosts don't even offer it as an option at all. It's the sort of thing they should be managing for most people.
(Score: 2) by NCommander on Thursday August 25 2016, @09:06PM
To an extent, I do get why its not common. Key management in DNSSEC is not trivial, and you don't want your signing keys controlled by a third party if it can be avoided.There's plenty of misinformation around; for example, most guides state that SHA1 is the only supporting signing algorthim. It isn't; most of the roots are signed SHA256 for instance.
On the webUI front, Linode doesn't support it directly, but you can replicate RRSIG to their zone by AXFR. As there is no standardized interface to upload the KSK/ZSK, it becomes something of a PITA. It's also possible to put a DNSSEC frontend in front of your servers which will sign the zone in-transit if you can do online key signing. That way, you can just set the front-end as authoritive, and point your NS records at that.
Cloudflare at the very least did it right and signed all the domains under their control (which was only possible since they're also a register I think).
Still always moving