: How to find domain registrar and DNS hosting with good DNSSEC support? Simplified problem I want to buy a domain and make a website that is fully secured with DNSSEC. I want to make sure
Simplified problem
I want to buy a domain and make a website that is fully secured with DNSSEC.
I want to make sure that only the one right SSL certificate could be validated by the browsers and all of the rogue SSL certificates or certificates for unqualified names would be rejected.
Where can I buy a domain? Whare should I buy a certificate? (Or should I use a self-signed certificate with DNSSEC instead of CAs?) Where can I host DNS? Which providers make the whole process most convenient, most affordable, most complete, most professional, most robust, most secure?
Background
I've been hearing about the insecurity of DNS for years. I've watched all of the talks by Dan Kaminsky and others from DNS exploits
to The future of DNS Security Panel.
I knew that using DNS without security is a disaster waiting to happen.
I followed the development of the DNSSEC standard. I celebrated the key signing ceremony.
Meanwhile I read about Thousands of SSL Certs Issued To Unqualified Names and Rogue SSL Certs Issued For CIA, MI6, Mossad and many other stories like that showing problems with the current implementation of websites secured with SSL that could be solved by DNSSEC (see: A Major Internet Milestone: DNSSEC and SSL and DNSSEC to fix the SSL mess? and SSL certificate validation and DNSSEC). Everything was on the right track to finally have a secure DNS system in place.
And now more than 2 years later I wanted to just do what everyone said I should do: use DNSSEC for a new domain. So I need a domain registrar and a DNS hosting service that supports DNSSEC. Surprisingly it is not that easy to even find out who does support DNSSEC and to what extent. It was actually much easier to find info on DNSSEC two years ago when everyone was going to support DNSSEC Real Soon Now but now years passed and I hardly see any progress done. I just hope that I was just looking in the wrong places and someone here will kindly explain all of the doubts.
I hope that other people who want to have a secure website will also find this question useful.
What is needed
registrar and DNS servers with full DNSSEC support for .com domains
integration of DNSSEC with SSL certificates
What is not needed
IPv6 support
Web hosting
anything more
What I found out so far
Go Daddy offers Premium DNS service for additional per year that lets you "Secure up to 5 domains with DNSSEC".
easyDNS has DNSSEC available in Beta across all service levels (you need to enable the "beta" flag in configuration) but it doesn't seem to be production ready and judging from the lack of updates it isn't a feature of highest priority (the last update from March 2011 on the easyDNS blog).
Name.com - according to The Register (US domain registrar does IPv6, DNSSEC) it has DNSSEC support since 2010 but right now (October 2012) I couldn't find anything related to DNSSEC on their website.
Dynadot that is very often recommended doesn't support DNSSEC
Namecheap that is also often recommended doesn't support DNSSEC. The support answer from 2011 suggested that it was being added but in 2012 still no ETA is given to customers.
DynDNS was supposed to support DNSSEC, I found a link explaining DNSSEC support but it gives 404 Not Found page and offers a search box - when searching for DNSSEC I get "No results were found for your query."
GKG was recommended online for DNSSEC support but it's hard to find any information on the level of DNSSEC support - there is a brief explanation on what is DNSSEC and how to sign Delegation Signer records in their FAQ but no information about the level of actual support can be found.
Ask Slashdot: Which Registrars Support DNSSEC? from July 2011 - Answers list Go Daddy, DynDNS, GKG, Name.com as registrars that support DNSSEC but: see above.
Registrars that support end user DNSSEC management, including entry of DS records by ICANN (thanks to Rob for reminding me about it) - the problem with this list is that the level of support is unknown, the fact whether you have to pay for DNSSEC additional fees is not mentioned, let alone the convenience of buying, configuring and hosting domains fully secured with DNSSEC and SSL.
List of .ORG Registrars who have passed OT&E for DNSSEC published by the Public Interest Registry - a lot of registrars but they are listed for .org TLD support and as they say: "This does not indicate whether the registrar has enabled a DNSSEC service for the registrants. Please contact the registrars directly for their DNSSEC service."
How To Secure And Sign Your Domain With DNSSEC Using Domain Registrars by the Internet Society (thanks to Nick for pointing it out) currently lists only two that support .com TLD on the list of "Registrars Supporting DNSSEC For Registration and Hosting" ie. Go Daddy (with an additional fee of /year) and Dyn (with an additional fee of 0/year). See How To Sign Your Domain With DNSSEC Using Dyn, Inc and How To Sign Your Domain With DNSSEC Using GoDaddy.com for details.
Related questions
How to find web hosting that meets my requirements?
What is needed to add DNSSEC to my site?
DNS hosting better managed by Domain provider or Hosting provider?
Registrar with good security, DNS hosting, and DNSSEC and IPv6 resolvers?
In no. 1 no one is ever mentioning DNS at all.
In no. 2 answers only mention the .se TLD, there are very few answers and they seem very outdated.
In no. 3 one answer says "On projects that demand higher security, I might look for a web host that supports DNSSEC" but no more information is provided.
The only relevant answers are in no. 4 where easyDNS is recommended by someone who has never used them personally. Meanwhile, as of October 2012, the support of DNSSEC is described as "in beta" on the easyDNS feature list.
Another one recommends SiteGround but searching their site for DNSSEC returns no results. Other answers recommend web hosting providers that don't meet the requirement of DNSSEC support. Also the question mentioned above lists 9 very specific requirements other than only DNSSEC (like eg. HTTP-only login cookies, two-factor authentications, no DNS record limits, DNS statistics of queries/day, audit trails etc.) which might have excluded many possible recommendations if one is only interested in DNSSEC support.
Conclusions
Is it possible that the pioneer of DNSSEC adoption would be Go Daddy and all of the "expert" DNS services are not ready yet?
I thought that by the end of 2012 the support of DNSSEC among domain registrars and DNS providers would be nearly universal. I am shocked that the support seems virtually nonexistent. Is this a result of some serious problems with the DNSSEC adoption? Or is it just not a hot topic and no one bothers anymore? According to the DNSSEC Scoreboard roughly about 0.1% of .com domains support DNSSEC. Could that be caused by the lack of DNSSEC support among registrars and DNS providers, is the information too hard to find or maybe no one cares? There is even no "dnssec" tag here.
Summary
The information is surprisingly hard to find. That is why I am asking for first-hand experience and personal recommendations.
Has anyone here actually set up a website with DNSSEC, from the domain registration to the configuration of DNS servers, to actually having a working website that is fully secured with DNSSEC?
Has anyone successfully integrated DNSSEC with SSL certificates to make sure that only the one right certificate could be validated by the browser and all of the rogue SSL certificates or certificates for unqualified names would be rejected?
Can anyone recommend any of the registrars mentioned above?
Can anyone recommend any registrar not mentioned above?
Any good experience? Bad experience?
More posts by @Twilah146
2 Comments
Sorted by latest first Latest Oldest Best
This website: pointless.net/
Is dnssec signed and uses a TLSA record (RFC6698) to secure the SSL certificate (Which is also signed by CA CERT, a sort of open source web of trust CA).
I run my own nameservers and use Easydns as my registrar - however Easydns doesn't support putting a DS record in the .net zone so I use the ISC Domain Lookaside Validation service (DLV) as the trust anchor, which is free and is used by the majority of DNSSEC validatiing resolvers. I'm also using gkg.net for some other domains and they do support doing DNSSEC properly.
Currently no web browser (as far as i'm aware) has native support for validating TLSA records however you can get a TLSA validating add-on for firefox, but it hangs on some dns lookups.
I did a talk on DNSSEC and related matters at the EMFCamp Hackercamp this summer, my notes and link dump are on the EMFCamp wiki.
P.S. If you are reading this and think DNSSEC and TLSA is a waste of time then read this paper about how the Great Firewall of China Leaks.
So to answer your summary questions:
Has anyone here actually set up a website with DNSSEC, from the domain registration to the configuration of DNS servers, to actually having a working website that is fully secured with DNSSEC?
yes
Has anyone successfully integrated DNSSEC with SSL certificates to make sure that only the one right certificate could be validated by the browser and all of the rogue SSL certificates or certificates for unqualified names would be rejected?
yes
Can anyone recommend any of the registrars mentioned above?
gkg.net
Can anyone recommend any registrar not mentioned above?
dlv.isc.org, while it's not exactly a registrar it lets you work around registrars which don't support dnssec.
Any good experience? Bad experience?
lessons learned:
If you run your own dns servers you must use some software for managing the dnssec key rollovers, I use zkt signer.
you can't have the same piece of DNS server software be both an authoritative server and a validating resolver - the ad and aa flags clash, I had to stop my nameserver from being a resolver, unbind it from localhost and use unbound on localhost instead.
updates:
This is a good summery of the current state of play
update 13 Dec 2012:
I'm now using gkg.net for all my domains. I'm still also using the isc dlv service, but I don't really need it anymore.
update 15 Sep 2014
I'm now using gandi.net
I don't have personal experience with DNSSEC so can't really make any recommendations, but this link from the ICANN site shows a list of the current registrars who have reported support for DNSSEC:
www.icann.org/en/news/in-focus/dnssec/deployment
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.