implement DNSSEC [Postfix client + domain later]
We should look into migrating to DNSSEC.
Florian privately made some good experiences with core-networks.de (signing is super-easy, they just lack an API for zones which we haven't used anyways in the past)
There's a sponsoring offer on the table for backup DNS.
An idea would be to have core-networks as main DNSSEC provider, and take advantage of the sponsoring offer as mirror/fallback (secondary zone with AXFR).
I'd start with less-prominent domains first to gain some experience.
I would, contrary to the initial scope of the ticket, not consider hosting DNS on our own.
#2 Updated by Florian Effenberger over 3 years ago
- Subject changed from onw DNS incl. DNSSEC to own DNS incl. DNSSEC
#3 Updated by Florian Effenberger about 3 years ago
There's www.core-networks.de which I've been using for testing. Sounds interesting, though it lacks an API it seems
I'm reluctant to switch DNS providers "just" to have DNSSEC, but maybe having one that does the DNSSEC magic and another one that just mirrors the zone could be an idea
#5 Updated by Florian Effenberger almost 3 years ago
- Subject changed from own DNS incl. DNSSEC to implement DNSSEC
- Description updated (diff)
#6 Updated by Florian Effenberger about 2 years ago
- Assignee changed from Alexander Werner to Guilhem Moulin
re-assigning to Guilhem in order to clean up Redmine queues
nothing concrete to do at the moment
#7 Updated by Florian Effenberger about 2 years ago
- Target version changed from Qlater to Q1/2017
Tentatively Q1; it might help (with TLSA and the like) e-mail deliverability
#8 Updated by Florian Effenberger about 2 years ago
- Subject changed from implement DNSSEC to implement DNSSEC [Postfix client + domain later]
#9 Updated by Florian Effenberger almost 2 years ago
- Target version changed from Q1/2017 to Qlater
Not that urgent actually, shifting to Qlater