I enabled DNSSEC a couple of years ago on my self hosted powerdns setup. I sign the zone locally, than build docker containers via SSH on the target nodes.

I made a mistake once and signed with wrong keys which then broke DANE. It‘s good to validate your DNSSEC (and DANE, CAA etc.) setup through external monitoring.

▲

nulltrace 3 hours ago | parent [-]

The key rollover part is what kills me about DNSSEC. I deal with key rotation in other contexts and it's already annoying, but at least if I mess up a TLS cert renewal the worst case is a browser warning. DNSSEC KSK rotation goes wrong and your whole domain stops resolving. And the old DS record is cached upstream so there's no quick fix.

	▲	gzread an hour ago \| parent [-]
		Aren't you supposed to keep the old and new KSK records for a while? Sorry if it's a dumb question since I don't regularly do this myself. Worst case you can put the old records back until you figure out how to generate the new ones correctly, right? (Assuming it's not too close to the expiry time)