I feel that. Next step is a proper Xeon E5 v4+ system to do my IPS/IDS
For now my DNS records are complete
dig @9.9.9.9 < MY-TLD >.net ANY +dnssec +multiline
; <<>> DiG 9.16.22 <<>> @9.9.9.9 < MY-TLD >.net ANY +dnssec +multiline
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31849
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 31, AUTHORITY: 0, ADDITIONAL: 9
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;< MY-TLD >.net. IN ANY
;; ANSWER SECTION:
< MY-TLD >.net. 300 IN SOA ns1.< MY-TLD >.net. hostmaster.< MY-TLD >.net. (
2021111397 ; serial
14400 ; refresh (4 hours)
900 ; retry (15 minutes)
28800 ; expire (8 hours)
240 ; minimum (4 minutes)
)
< MY-TLD >.net. 300 IN RRSIG SOA 14 2 300 (
20211130195934 20211115185934 11487 < MY-TLD >.net.
mIjrsgWS+pQLdy87Su8Z0UbeOFP7NMoRaDPPZHeAyJsE
+q/WawMqLH8G5PcypiVaTjicv3WufPMJ9rnCvlaQBtsC
wLlGS71dP239BpK3IZhOhWNQ0acQmsx3yQ0GTSBn )
< MY-TLD >.net. 300 IN TXT "oa1:btc" "recipient_address=18aPyZZ6kXN4jh3fd7Vf3vGkm9U6QDNcxe"
< MY-TLD >.net. 300 IN TXT "oa1:xmr" "recipient_address=4373MaqnKswCRm1WrFJtXdEVDnnboGjSC7117Z2irZcyRvScZx8wToF54aDo8dqh7FU6MB4AgbeUKPLM9c2VRP4iAB6mH83"
< MY-TLD >.net. 300 IN RRSIG TXT 14 2 300 (
20211128192759 20211114091824 11487 < MY-TLD >.net.
+FwWGNfdtVOkLvZbwprB6pKSdLxi5BB6/nJVvp2/X7wy
RxVQRa5DwaxJs6aLgsNC+P3DFkxEiLouwx1tY0QF7dxl
0BWgKWhWERkuM26MJU/3qjWMhURvb1GYtP2bQfGW )
< MY-TLD >.net. 300 IN SSHFP 4 1 (
B334AC074053354BE6160D5FA58B9ACAF273C223 )
< MY-TLD >.net. 300 IN SSHFP 4 2 (
159C867AEBAB56ECAB6F0A6B33080338A1AD356CDDFD
18DE604A4C7C71FA4FFA )
< MY-TLD >.net. 300 IN SSHFP 2 2 (
C64434A6FFA5975099C00BCB983470BED627716DE591
C26C509CBC2A945F26BC )
< MY-TLD >.net. 300 IN SSHFP 3 2 (
3E53A430A6729186154A39611DDFDCD807D60E61E15C
950A78364D790AB8B422 )
< MY-TLD >.net. 300 IN SSHFP 1 1 (
080F22AD4A9837057295431121B4B2E3A6E8D1AC )
< MY-TLD >.net. 300 IN SSHFP 1 2 (
4CC07F5D066C0405B04FAA01F2DBB1086B7F4C5ED571
34EBB0110B2CA3BC8056 )
< MY-TLD >.net. 300 IN SSHFP 2 1 (
9A120DE7E960AD7D5EA126DE2F0B47323A52FE49 )
< MY-TLD >.net. 300 IN SSHFP 3 1 (
E8F126DAE356BE7C2AEDF5E4E9D94822C700FEAD )
< MY-TLD >.net. 300 IN RRSIG SSHFP 14 2 300 (
20211128192759 20211114091824 11487 < MY-TLD >.net.
d3rLX0FHW3caln8tyb54xEO3x9pOnQW/EF49eJ0ZdMGZ
Ah2dShjn9b3NLCo9bYYbTnEBBjnl4RVTc5Pxm8b9dqWN
VgLpZhgXq4cIdj+p4TaRVmmsYOSVFctISHQGdVAK )
< MY-TLD >.net. 300 IN CAA 0 issue "comodo.com"
< MY-TLD >.net. 300 IN RRSIG CAA 14 2 300 (
20211128192759 20211114091824 11487 < MY-TLD >.net.
td9B9E/g5UkB3g2X5aQ9seMX1D87xAJvUtc/Hm7Ezw/s
IzmABaN7acXBuFzyZ0EUoGg4w65u3oTN0iO1UKFFP8iX
cDuPvoRuPPAWE5BVPKHKTt0ZBbhDDqVuyEt/p2/0 )
< MY-TLD >.net. 300 IN AAAA 2600:3c04::f03c:92ff:fec6:2030
< MY-TLD >.net. 300 IN RRSIG AAAA 14 2 300 (
20211128192759 20211114091824 11487 < MY-TLD >.net.
DzqfB/qwH/y3UtdZUCOMW5qCMLI57BWVj1U8Nz+0AOgu
E+mRzNt4RXgvz9KP9RbMnDcg29eKTMYIRAZbLmSbCVvK
DIo8Ly4G70GX6d1QoKVpUtRuyvRrnheSCLyveoy8 )
< MY-TLD >.net. 300 IN NS ns1.< MY-TLD >.net.
< MY-TLD >.net. 300 IN NS ns2.< MY-TLD >.net.
< MY-TLD >.net. 300 IN RRSIG NS 14 2 300 (
20211128192759 20211114091824 11487 < MY-TLD >.net.
AWwEX+CDN3WGIh8FGd8dY7KWM6/gyIdD1CFGcsrGg0F3
ATIcN/wK/9hP85srWto5miEYuiPAnzFy/sutL4+Q5bd6
VhA6uJuzNU0bWhLdumsfHQlCrAQIvgGMEEksuLCO )
< MY-TLD >.net. 300 IN A 192.53.120.164
< MY-TLD >.net. 300 IN RRSIG A 14 2 300 (
20211128192759 20211114091824 11487 < MY-TLD >.net.
qYVP1vVrC43PydPxj4jo8bw8XMn7bxf41qXodg9leg3m
2HxFHAGNO6/Lwzsqt3dwdaWEpsG6gUxreBfDmgBq8MV7
q1bfp8IWhgl3xLrunFEUH4U8b8DB+hB24iDnwY3i )
< MY-TLD >.net. 600 IN DNSKEY 257 3 14 (
lBVStWR+jJQC7t833te7kp3GRFEMbn4wl6m8K6KQ6btB
fGrsefRGJra2KsHI4MsUtWJOvk0xs057w2319vhdLFce
INzsD1zTvnKoxNXpCBDqGi+y4WF8Nho+JNXqhGct
) ; KSK; alg = ECDSAP384SHA384 ; key id = 55295
< MY-TLD >.net. 600 IN DNSKEY 256 3 14 (
5tdCXp5Ru8CA18uc7NPxyKjvYZr+QEXx5PHKOQKfwjMd
QUyHsAkTkNIJaNakzXONefYSGeERlrKKKttmBF8O4fpG
XmzD4KE5GD9mQcvplj+1pgNNF7A+Xa2j5ETqr5Bo
) ; ZSK; alg = ECDSAP384SHA384 ; key id = 11487
< MY-TLD >.net. 600 IN RRSIG DNSKEY 14 2 600 (
20211129101824 20211114091824 55295 < MY-TLD >.net.
Ihq+D4NeGFgFoG4zOite/JK8EnS46N8/MA/FyRNzlMJn
Uaf/C1Em0yKDhun21lonfOxWiusOl81wW9UuezvNqnTx
eu3qulF8ZluGOD0lnS5RNn52v0KKnB156FVLX27f )
< MY-TLD >.net. 5 IN TYPE65534 \# 5 ( 0E2CDF0001 )
< MY-TLD >.net. 5 IN TYPE65534 \# 5 ( 0ED7FF0001 )
< MY-TLD >.net. 5 IN RRSIG TYPE65534 14 2 0 (
20211129061524 20211114091824 11487 < MY-TLD >.net.
89/4xbx+O31d2CcA7Xmilo6iwm4QzmlcodXz/Pd3/Eb5
akWY4JeYZZLLHqe2sbSAlYElU35fBjn46Zjg5UPLsHvr
Tn19UXke1KQM/iPxKeumdvpdPuMElefL+SQFvvSV )
< MY-TLD >.net. 240 IN NSEC *.< MY-TLD >.net. A NS SOA TXT AAAA SSHFP RRSIG NSEC DNSKEY CAA TYPE65534
< MY-TLD >.net. 240 IN RRSIG NSEC 14 2 240 (
20211129061524 20211114091824 11487 < MY-TLD >.net.
/9FoYqSFek0+WEqrBeL3dBsRf6u1QaIwsMF3Y6Pks+99
ClMD58PpMEztYjNgRygcigD+5GJoYu8RBqzSRYc5oY8n
93CfpwIxSv40eN1QZbZeA5iQJqSRYUfNO5gv6rAu )
;; ADDITIONAL SECTION:
ns1.< MY-TLD >.net. 300 IN A 23.239.20.9
ns2.< MY-TLD >.net. 300 IN A 173.255.255.89
ns1.< MY-TLD >.net. 300 IN AAAA 2600:3c01::f03c:92ff:fece:5fc0
ns2.< MY-TLD >.net. 300 IN AAAA 2600:3c01::f03c:92ff:fe9e:3ef0
ns1.< MY-TLD >.net. 300 IN RRSIG A 14 3 300 (
20211127031107 20211114091824 11487 < MY-TLD >.net.
J4CCJTBCTav6Jy1OHK9idfPKySYITBKye7glnmeuzkiT
7xhKVAmFUDZZciez5zq7X4wxLs0W9g0nTYmaH5YlDsKU
koqll1CxnhxF91aQpXX+9AOJSpQom/V/4DHGjUjN )
ns2.< MY-TLD >.net. 300 IN RRSIG A 14 3 300 (
20211121205825 20211114091824 11487 < MY-TLD >.net.
R6a6DMBKYtEyL+186L7IXMlb16E+t4ZfbAES6tTH5kZ1
krfH/cr1y6V+8p4MDZbOTRPTEo6te0OIvrLCrUzw9ShG
+Ltc3mCKGhQZq03cZVht3GTMsLeaH1i5nPRWFDpw )
ns1.< MY-TLD >.net. 300 IN RRSIG AAAA 14 3 300 (
20211127031107 20211114091824 11487 < MY-TLD >.net.
oeZFAMsFUWOkAkedG8IKW5FR5Xyq32sgoOpFk92IC2N5
3HlOSKdkVUwH/t+m6axwCGR5o2hULOF8B4W7VrdccuMv
2QgygyPBFGNz7wNbThDTNalLtBeB9iJFV/XC1mx7 )
ns2.< MY-TLD >.net. 300 IN RRSIG AAAA 14 3 300 (
20211121205825 20211114091824 11487 < MY-TLD >.net.
KSRFnDCrqQzRQDdeCb+4us5wucXNAULSzrlxhShvV3mm
nYjHd620ZehL83ij9QVDI3Z1EN8IaOQYA3FrApqe4OiL
nafNAeEOs0BC97XDUbX3uQcojNPujQZtFUcW4V7u )
;; Query time: 80 msec
;; SERVER: 9.9.9.9#53(9.9.9.9)
;; WHEN: Mon Nov 15 20:13:10 MST 2021
;; MSG SIZE rcvd: 3104
and NSEC3 is used for when stuff doesnt exist
dig @9.9.9.9 DoesNotExist.< MY-TLD >.net ANY +dnssec +multiline
; <<>> DiG 9.16.22 <<>> @9.9.9.9 DoesNotExist.< MY-TLD >.net ANY +dnssec +multiline
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9122
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 8, AUTHORITY: 5, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;DoesNotExist.< MY-TLD >.net. IN ANY
;; ANSWER SECTION:
DoesNotExist.< MY-TLD >.net. 300 IN CAA 0 issue "comodo.com"
DoesNotExist.< MY-TLD >.net. 300 IN RRSIG CAA 14 2 300 (
20211128192759 20211114091824 11487 < MY-TLD >.net.
WUyyYMVfdiHcvr3WGNmHEPkkmjfmk8MzgcuayrKgoMmZ
YB1PHKeO6xcYiwsSmmBqnoiDuYQl4uMp5JU8uZtL6imt
6vKQfDGPPlLL2dLQkRKtKExeZK6sR1DBzcqexuC3 )
DoesNotExist.< MY-TLD >.net. 300 IN AAAA 2600:3c04::f03c:92ff:fec6:2030
DoesNotExist.< MY-TLD >.net. 300 IN RRSIG AAAA 14 2 300 (
20211128192759 20211114091824 11487 < MY-TLD >.net.
sTCVAN2IZgA/ieVcylOhr0vjcL3Qa7+hjsc8vgSwF7hC
J6e6MQQgTnBRc8aLQ8+6+OosPrHqplVADFdalZuimMZi
MeDHQUTl2HtHfjxJ0de77H2WxmIOBTG4iImLSyx0 )
DoesNotExist.< MY-TLD >.net. 300 IN A 192.53.120.164
DoesNotExist.< MY-TLD >.net. 300 IN RRSIG A 14 2 300 (
20211128192759 20211114091824 11487 < MY-TLD >.net.
Uk9XFyBZ4pePOmOuCXnnR8SmuRRSrw8W6IX6ypAfSKiY
TSvnDqSHjVDANwXSFOo2wJ35NgLmsu6mmwV6oF30B5lC
9RA6u25+G0aALg8bLyy+PuAAsyFbr5vr5NTTgHun )
DoesNotExist.< MY-TLD >.net. 240 IN NSEC 0bin.< MY-TLD >.net. A AAAA RRSIG NSEC CAA
DoesNotExist.< MY-TLD >.net. 240 IN RRSIG NSEC 14 2 240 (
20211128192759 20211114091824 11487 < MY-TLD >.net.
o24OlOzfAOrsrwoZh5GQ/tg+i42shVIEU7bnxRePqnFp
R0oZs+jSXfBvbEqSdg6n8gCIj3+foR1ychL1D8rWYDUF
1uTlv8CiUKUvAip5PpEwKnwsIcLb9KoKQtfQKVSF )
;; AUTHORITY SECTION:
< MY-TLD >.net. 300 IN NS ns1.< MY-TLD >.net.
< MY-TLD >.net. 300 IN NS ns2.< MY-TLD >.net.
< MY-TLD >.net. 300 IN RRSIG NS 14 2 300 (
20211128192759 20211114091824 11487 < MY-TLD >.net.
AWwEX+CDN3WGIh8FGd8dY7KWM6/gyIdD1CFGcsrGg0F3
ATIcN/wK/9hP85srWto5miEYuiPAnzFy/sutL4+Q5bd6
VhA6uJuzNU0bWhLdumsfHQlCrAQIvgGMEEksuLCO )
dns.< MY-TLD >.net. 240 IN NSEC git.< MY-TLD >.net. CNAME RRSIG NSEC
dns.< MY-TLD >.net. 240 IN RRSIG NSEC 14 3 240 (
20211130190445 20211115185934 11487 < MY-TLD >.net.
4Oz12iKRF3tjukdFzpFVCmrMnAZrUy9tUPeDmAI8xiAo
v/Loomh0F8BAFs50XALEdXrVtZzw49j8VkYQ6XPrMSZQ
JeA3bmquN5m+u/XtJfYHKd9bXcxAwKPe0MVXBRaJ )
;; Query time: 50 msec
;; SERVER: 9.9.9.9#53(9.9.9.9)
;; WHEN: Mon Nov 15 20:16:18 MST 2021
;; MSG SIZE rcvd: 1087
So I think Ill worry about it closer to the 60 day mark of a ZSK rollover and see what happens