DNSSEC - how to cook it right?

R

Roman Danilov2013-05-06 19:50:26

Domain Name System

Roman Danilov, 2013-05-06 19:50:26

A few practical questions about the practical - I'm not afraid of tautology - the use of DNSSEC:
1. Is it possible to use DNSSEC-based SSL not only for the web, but for example, for POP3 and SMTP, and if so, how?
2. I have a signed second level domain with a delegated third level domain - how do I sign the last one?
3. Recommend a DNS hosting based on BIND9 and possible conveniences like serial number checking, reverse zone calculators, IPv6 glue, etc.; Did you understand that I want to manually edit the zone files so that I can add all sorts of records of exotic types - like TYPEnnn? Preferably free or inexpensive.

The question was inspired by these posts:
habrahabr.ru/post/138490/
habrahabr.ru/company/webnames/blog/171177/

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

K

karkarramba, 2013-05-13
@karkarramba

1. This is not explicitly stated, but dkim and dmarc are quite signed within DNSSec;
2. Create keys, sign, push the DS-record into the second-level domain, re-sign the last one.

K

karkarramba, 2013-05-13
@karkarramba

1. MTA-MUA - no way, as far as I understand the postal business, it's more for the MTA-MTA.
DNSSec is generally pretty bad when it comes to end clients.
2. Everything is exactly the same as for second-level domains.