MSBFS additions #485
MSBFS additions #485
Conversation
| @@ -83,6 +84,9 @@ host -a demo.example.com. | |||
| !!!important | |||
| Be cautious when using CNAMEs and apex domains (e.g., `example.com`). See [here](https://serverfault.com/questions/613829/why-cant-a-cname-record-be-used-at-the-apex-aka-root-of-a-domain) for a long discussion of potential problems and current workarounds. | |||
|
|
|||
| !!!important | |||
| MSBFS 2020:7 4 kap. 9 § requires you to use DNSSEC for all your registered domains. | |||
There was a problem hiding this comment.
I think this deserves a longer explanation, so they know what they need to do. Because it goes against the usual "we make a bunch of domains for you, and you then make a prettier CNAME for your end users". It could be something simple like:
"For DNSSEC to work, you have to make A records in your DNS provider and point them to the load balancer that is fronting the Ingress Controller. Cloud infrastructure provider specific behaviors can apply, so talk to your cluster administrator to make sure you get these things right."
There was a problem hiding this comment.
Mkey, I just checked and it took me 5 minutes to enable DNSSEC on an AWS Route53 domain. I think we should leave the instructions as-is and push for DNSSEC in the arch meeting. 😄
As discussed during the last PM meeting, I added clarification for how our customers can comply with MSBFS.