Yes. I sign my zones and have a DNSSEC validating DNS resolver.
I recommend trying https://www.knot-dns.cz/, it automatically takes care of rotating keys and signing, so enabling DNSSEC for your zone is just a matter of enabling automatic signing in it's config file.
@miegl said:
Yes. I sign my zones and have a DNSSEC validating DNS resolver.
I recommend trying https://www.knot-dns.cz/, it automatically takes care of rotating keys and signing, so enabling DNSSEC for your zone is just a matter of enabling automatic signing in it's config file.
I use it on static domains. I don't use it so much on ones with dynamic IP determination (tied to up/down monitors, geo-routed, etc.) because I have not yet assessed the performance impact of on-the-fly signing on our nameservers - that's on the to-do list probably some time in the new year.
Comments
Yes. I sign my zones and have a DNSSEC validating DNS resolver.
I recommend trying https://www.knot-dns.cz/, it automatically takes care of rotating keys and signing, so enabling DNSSEC for your zone is just a matter of enabling automatic signing in it's config file.
thanks for your sharing
I use it on static domains. I don't use it so much on ones with dynamic IP determination (tied to up/down monitors, geo-routed, etc.) because I have not yet assessed the performance impact of on-the-fly signing on our nameservers - that's on the to-do list probably some time in the new year.
No. From what I could figure, especially for my intended use, it's more hassle (potential problems) than it helps.
Detailed info about providers whose services I've used:
BikeGremlin web-hosting reviews
I use it wherever I can, unfortunately, not all registrars support it.
I enabled it on my first domain. So far no issues. Using Cloudflare and Porkbun.