# DNSSEC Too Complex


{{<figure src="/images/2023/bike-meme-dnssec.jpg" caption="Deploying DNSSEC.">}}

Even though I co-authored [RFC 4641](https://datatracker.ietf.org/doc/html/rfc4641), laying out how
you should run DNSSEC - I think in retrospect that BCP is way too complex, ah the sin of youth.

You should (if you want to run DNSSEC) run with a single key (called common-signing-key; CSK) and
never roll your keys. This is what [CoreDNS'](https://coredns.io)
[sign](https://coredns.io/plugins/sign/) plugin implements and what I use.

Also see [this Mastodon post](https://mastodon.cloud/@miek/111352709824615368).