Tony Finch · Oct 11, 2018 · 9:24 AM UTC

Tony Finch

Tony Finch @fanf

11 Oct 2018

Checking ahead of the DNSSEC root KSK rollover ... all my resolvers have a ttl > 24h for the root DNSKEY RRset, so I plan to give them a delicate kick after H-hour to ensure things are OK before I head to Amsterdam tomorrow

Daniel Silverstone 💉💉💉💉² 🏳️‍🌈🇬🇧 · Oct 11, 2018 · 9:28 AM UTC

Daniel Silverstone 💉💉💉💉² 🏳️‍🌈🇬🇧 @dsilverstone

11 Oct 2018

I've had to deal with a number of KSK rollovers for the first time in production recently. I only fluffed up one of them (the most important one) :-) I need to see if I can automate GANDI to update the KSKs

Peter van Dijk · Oct 11, 2018 · 12:07 PM UTC

Peter van Dijk @Habbie

11 Oct 2018

I understand GANDI is in on CDS/CDNSKEY, should make things easier

Daniel Silverstone 💉💉💉💉² 🏳️‍🌈🇬🇧 · Oct 11, 2018 · 12:10 PM UTC

Daniel Silverstone 💉💉💉💉² 🏳️‍🌈🇬🇧 · Oct 11, 2018 · 12:10 PM UTC

Daniel Silverstone 💉💉💉💉² 🏳️‍🌈🇬🇧 @dsilverstone

11 Oct 2018

Replying to @Habbie @fanf

Oooh whassat?

Oct 11, 2018 · 12:10 PM UTC

Peter van Dijk · Oct 11, 2018 · 12:12 PM UTC

Peter van Dijk @Habbie

11 Oct 2018

Replying to @dsilverstone @fanf

you publish intended parent-side DS on your side as CDS; parent monitors this, trusts it after a few days and adopts it. CDNSKEY is the obvious non-hashed variant.

Daniel Silverstone 💉💉💉💉² 🏳️‍🌈🇬🇧 · Oct 11, 2018 · 12:18 PM UTC

Daniel Silverstone 💉💉💉💉² 🏳️‍🌈🇬🇧 @dsilverstone

11 Oct 2018

Oh that sounds very useful. I'll have to look what the complexity of creating the records will be for our infra. That'd be a super-duper way to fix things

Peter van Dijk · Oct 11, 2018 · 12:13 PM UTC

Peter van Dijk @Habbie

11 Oct 2018

Replying to @dsilverstone @fanf

blog.cloudflare.com/automati… mentions Gandi

Tony Finch · Oct 11, 2018 · 12:19 PM UTC

Tony Finch @fanf

11 Oct 2018

I am now even more grumpy about the university finance bureaucracy, sigh