DNSSEC is a major change in the way DNS works. Furthermore, there is a bewildering array of settings that can be configured.
It is easy to (mis)configure DNSSEC in such a way that your domain
will not operate reliably, or even, at all. We advise operators to stick
to the keying defaults of pdnsutil secure-zone
.
Note
GOST may be more widely available in Russia, because it might be mandatory to implement this regional standard there.
It is possible to operate a zone with different keying algorithms simultaneously, but it has also been observed that this is not reliable.
Depending on your master/slave setup, you may need to tinker with the SOA-EDIT metadata on your master. This is described in the SOA-EDIT: ensure signature freshness on slaves section.
DNSSEC answers contain (bulky) keying material and signatures, and are therefore a lot larger than regular DNS answers. Normal DNS responses almost always fit in the ‘magical’ 512 byte limit previously imposed on DNS.
In order to support DNSSEC, operators must make sure that their network allows for:
If any of the conditions outlined above is not met, DNSSEC service will suffer or be completely unavailable.
In addition, the larger your DNS answers, the more critical the above becomes. It is therefore advised not to provision too many keys, or keys that are unnecessarily large.