> If you own and host your own domain, it's probably very easy to have your DNS provider ena...

thayne • today at 5:11 PM • 1 reply • view on HN

> If you own and host your own domain, it's probably very easy to have your DNS provider enable DNSSEC for you

It isn't that easy on AWS.

It also generally is not that easy if your domain registrar is not the same as your dns host, because it involves both parties. And some registrers don't have APIs for automatic certificate rotation, so you have to manually rotate the certs periodically.

Replies

kro • today at 5:32 PM

I have a setup with separated dns and domain since 2021. Using a CSK with unlimited lifetime, I never had to rotate. And could easily also migrate both parts (having a copy of the key material)

The master is bind9, and any semi-trusted provider can be used as slave/redundency/cdn getting zonetransfers including the RRsigs

➕ show 1 reply

alt Hacker News

Replies