> The key rollover part is what kills me about DNSSEC.
Key rollover is completely optional with DNSSEC (unlike with TLS where it's semi-mandatory). All of my domains use infinite lifetime DNSSEC keys, which probably isn't ideal from a security perspective, but it's still much better than no DNSSEC at all.
> but at least if I mess up a TLS cert renewal the worst case is a browser warning.
If you have HSTS enabled (which you probably should), then you're unable to bypass the browser warnings, so if you have a bad TLS certificate, then you'll be completely unable to connect to the website.
At least the error goes away immediately, for everyone, once you fix the cert.
.net seems to serve DS records with at least 18 hours TTL. so worst case it takes your monitoring up 18 hours to notice your record was broken, and then another 18 hours before your fixed record is server everywhere.
Key rollover is completely optional with DNSSEC (unlike with TLS where it's semi-mandatory). All of my domains use infinite lifetime DNSSEC keys, which probably isn't ideal from a security perspective, but it's still much better than no DNSSEC at all.
> but at least if I mess up a TLS cert renewal the worst case is a browser warning.
If you have HSTS enabled (which you probably should), then you're unable to bypass the browser warnings, so if you have a bad TLS certificate, then you'll be completely unable to connect to the website.