[dns-operations] DNSSEC signatures expired for getdnsapi.org and getdnsapi.net

Viktor Dukhovni ietf-dane at dukhovni.org
Mon Sep 18 10:52:37 UTC 2017

> On Sep 18, 2017, at 6:34 AM, bert hubert <bert.hubert at netherlabs.nl> wrote:
>> I'd like to suggest monitoring.  For my own domains, the alarms start
> I'd like to suggest DNS solutions that autosign. There are millions of
> autosigning domains out there (the vast majority even). We continue to see
> "manual" signing fail, even with very smart operators.

Even *auto-signing* needs monitoring.  My domains auto-sign, and yet
occasionally the auto-signing (at least in BIND) seems to stop, until
it is given a good kick to get it going again.  Unmonitored automation
is incomplete automation.

> I realize not all security goals can be met with such a solution. But I also
> realize we are the butt of a lot of jokes if even the DNSSEC cognoscenti
> aren't able to keep their domains working.

Hence monitoring in fact is more important that blind belief that some
automated process is perfect and never fails.  Of course monitoring
can also fail, so it should be tested from time to time...


More information about the dns-operations mailing list