Lessons Learned from Fully-Chained DNSSEC

Not long after DNSSEC was enabled for the .com domain, jasadvisors.com became one of the first DNSSEC-signed zones in the .com TLD.  DS records for .com were published in the root on March 31, 2011 and our DS records appeared in .com a day later.

Since then, we’ve learned a lot about managing a DNSSEC installation, experiences we’ve passed on to our clients.  Many of our clients are currently DNSSEC-enabled on the recursive and/or authoritative side.

Verisign has a great tool to see and debug the chain of trust.  Sandia National Labs also has a fantastic tool.

DNSSEC is just one of many valuable tools that help make the Internet more reliable and secure.