There has been major improvements made by the sysadmin team these last weeks. Even if it's not visible, we want to explain what has been made and what benefit will brings to you.
Bind9 wasn't satisfying anymore for several aspects. Its configuration is not straighforward which makes it difficult to manage efficiently, the DNSSEC implementation is lacking major features, there are a lot of security concerns and its future is not clear..
So we moved to Knot DNS 2 from CZ.NIC. It adresses most of our concerns above :
- an active development,
- the YAML configuration is simple and very efficient,
- DNSSEC implementation is very complete and provide automatic keys management,
We are now able to provide DNSSEC on all of our domains . The keys are now rolled monthly.
We now support DANE on each domain we managed (including mail server). Even if it's not yet supported by web-browsers, it's defined in the RFC6698. DANE allows to publish the SSL certificates in a DNS record, thus offering another way to check the authenticity.
If you want to look further on this point, we encourage you to take a look to www.dnssec-validator.cz.
We plan to publish our PGP public key in DNS in the near future too.
A few month ago we wrote Ansible playbooks to automate the new servers deployment.
Since we now manage a few dozens of servers, we'd like to go a step towards and automate the daily management too with Puppet.
This huge work will make us more reactive.
Since the public beta of Let's Encrypt is open, we'll be able to securely provide every future web service with a valid certificate. Let's Encrypt make the automation process in the core of the protocol, and we'll be able to manage it thanks to the work above.
All of this new features and improvements are made to increase ToolsLib security, usuability and efficiency.
Don't hesitate to share your thoughts about this blogpost on the forum.