Re: snarls in real life Thu, 22 April 2021 01:18 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C91A03A3E73 for <>; Wed, 21 Apr 2021 18:18:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id oMATymsMJWqC for <>; Wed, 21 Apr 2021 18:18:00 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id ADE703A3E72 for <>; Wed, 21 Apr 2021 18:18:00 -0700 (PDT)
Received: from by (PMDF V6.1-1 #35243) id <> for; Wed, 21 Apr 2021 18:12:57 -0700 (PDT)
MIME-version: 1.0
Content-transfer-encoding: 7BIT
Content-type: TEXT/PLAIN; CHARSET=us-ascii
Received: from by (PMDF V6.1-1 #35243) id <> (original mail from for; Wed, 21 Apr 2021 18:12:54 -0700 (PDT)
Message-id: <>
Date: Wed, 21 Apr 2021 17:10:16 -0700 (PDT)
Subject: Re: snarls in real life
In-reply-to: "Your message dated Thu, 22 Apr 2021 10:00:58 +1000" <>
References: <> <> <> <> <YIC5jFjv/> <>
To: Bron Gondwana <>
Archived-At: <>
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 22 Apr 2021 01:18:04 -0000

> On Thu, Apr 22, 2021, at 09:47, Viktor Dukhovni wrote:
> > My domain has been signed since 2014 without any disruptions, with just
> > a modest monitoring script that has alerted me to pendign expiration
> > (automated re-signing wasn't kicking in) a couple of times, well before
> > the signatures expired.  The bugs that resulted in resigning not
> > happening have been fixed for some time, and I don't have to expend any
> > energy to keep DNSSEC running, it just works.

> That's you - you're an expert in this field.  Most people aren't.  And yet -
> as you mention, you had a bug with automated re-signing failing and had to add
> monitoring.

Once the DNSSEC support in Bind got to the point where it was able to handle
most (but not all) expiration issues automatically, I decided to give DNSSEC a

It's simple enough to configure it for basic domains, but I have a split-horizon
setup, and that complicated things quite a bit.

Another problem was that a long time back I took advantage of an absurdly low
promotional price from a registrar that did (and AFAIK still doesn't) support
DNSSEC. I opted to eat the cost for a couple of domains and migrated to a
registrar that did (always a royal pain). I finally migrated the last of them

However, in the process I managed to make a cut-and-paste error and ended up
with one valid and one invalid DS record for one of my infrequently-used
domains. Which was noticed by exactly nothing, including the DNSSEC testing tool
I happened to use to validate my setup.

Some time later I got a problem report from IANA. It seems that IANA has DNSSEC
checking enabled on mail server, I assume because they have enabled DANE
(although this was never 100% clear), and I happened to have used this domain
for an internal list forwarding address. Unfortunately the error message IANA
was seeing was misleading, so it took a bit of time to track down. 

And I still have work to do because Bind has added a number of options that I
need to set, but before that can happen I need to upgrade Bind, and before that
can happen I need to upgrade some other stuff.

All this is for a total of 9 domains - a toy setup by any measure.

I know a little (but not a lot) about the DNS infrastructure at Oracle, and the
cost and complexity of migrating it to DNSSEC would be staggering.