# DNSSEC



## mumu (Aug 11, 2021)

Hi folks, after you sign and publish a dnssec zone, do you need to re-sign it again later ?


----------



## ab2k (Aug 18, 2021)

Hi, I will split my answer to technologies:

Cryptographic side:
1. Private keys are lost or compromised.
2. Private keys were not rolled or rolled too long ago.
3. Cryptographic algorithms used for signing are no more secure.

DNS side:
1. You have changed SOA options.
2. You have added, changed or deleted resource records.

Fortunately, you may automate zone and resource records signing and keys rolling by creating and implementing signing policy in dns/bind916.

Please note that DNSSEC is very complicated and if something will go wrong your dns records will be rejected and your clients will not be able to reach your services. You need to keep an eye on every key roll, any change at root zone keys and never get through RRSIG validity period. Think twice before implementing DNSSEC.


----------



## mumu (Aug 20, 2021)

ab2k said:


> Hi, I will split my answer to technologies:
> 
> Cryptographic side:
> 1. Private keys are lost or compromised.
> ...


Noted and thanks for the explaination.


----------

