I've been in IT 30+ years, been running DNS, web servers, etc. since at least 1994. I haven't bothered with DNSSEC due to perceived operational complexity. The penalty for a screw up, a total outage, just doesn't seem worth the security it provides.

▲ gerdesj 28 minutes ago | parent | next [-]

That was my experience too until I decided that just running email systems for 30 odd years when HN says that is unnatural piqued my weird or something!

I ran up three new VMs on three different sites. I linked all three systems via a private Wireguard mesh. MariaDB on each VM bound to the wg IP and stock replication from the "primary". PowerDNS runs across that lot. One of the VMs is not available from the internet and has no identity within the DNS. The idea is that if the Eye of Sauron bears down on me, I can bring another DNS server online quite quickly and fiddle the records to bring it online. It also serves as a third authority for replication.

I also deployed https://github.com/PowerDNS-Admin/PowerDNS-Admin which is getting on a bit and will be replaced eventually but works beautifully.

Now I have DNS with DNSSEC and dynamic DNS and all the rest. This is how you start signing a zone and PowerDNS will look after everything else:

  # pdnsutil secure-zone example.co.uk
  # pdnsutil zone set-nsec3 example.co.uk
  # pdnsutil zone rectify example.co.uk

Grab a test zone and work it all out first, it will cost you not a lot and then go for "production".

My home systems are DNSSEC signed.

▲ qingcharles 35 minutes ago | parent | prev [-]

How simple sysadmin was in 1994 with no cryptography on any protocol. Everything could be easily MITM'd. Your credit card number would get jacked left and right in the 90s.

	▲	gerdesj 25 minutes ago \| parent [-]
		Cool. Feel free to explain how to tighten things up. I've just given them part of a recipe for using DNSSEC. I suspect you are not actually human .. qingcharles.