Closed Bug 1629834 Opened 5 years ago Closed 4 years ago

DNSSEC for firefox.com

Categories

(Infrastructure & Operations :: DNS and Domain Registration, task)

Product:
Infrastructure & Operations
Component:
DNS and Domain Registration
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: sjw+bugzilla, Assigned: cshields)

Details

(Whiteboard: [dnssec])

bug 1077847 has been wontfixed, but thing have been changed since then. Most Mozilla domains supported DNSSEC and new subdomains like accounts.firefox.com become a critical services.

So I'd like to request DNSSEC for firefox.com again.

ECDSA P-256 should be used (as Cloudflare does) instead of fat RSA.

Working with key stakeholders, we made the decision to stop signing dnssec on the very few zones that were being signed. The adoption was not consistent, and to make everything work across multiple delegations and cloud providers with very dynamic targets would be an effort we can not justify undertaking right now (or in the foreseeable future). firefox.com was never implemented with dnssec, and with this decision will not be implemented (anytime soon)

Assignee: infra → cshields
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.