DNSSEC is wonderful

DNSSEC is very cool. It secures DNS preventing cache poisoning attacks and it allows you to generate trustworthy SSL certificates bound to your domain name at zero cost. We all hate the snake oil SSL certificate sellers don't we?

I look around and nobody using DNSSEC yet. Why? Use it people, it's great!

For an easy introduction I recommend this book:

https://www.michaelwlucas.com/nonfiction/dnssec-mastery

Or… Does nobody run their own DNS servers anymore?

12 Replies

@sednet:

Or… Does nobody run their own DNS servers anymore?

+1

@hoopycat:

@sednet:

Or… Does nobody run their own DNS servers anymore?

+1

I run my own DNS servers, and I have signed all the domains that my registrar(s) allow me to upload a DS/KSK for.

BIND's inline-signing feature <3.

@staticsafe:

I run my own DNS servers, and I have signed all the domains that my registrar(s) allow me to upload a DS/KSK for.

BIND's inline-signing feature <3.

Sadly I'm having to change registrar just to upload my DS records. Most registrars are really dragging their feet on DNSSEC.

BIND managed keys are very nice.

@sednet:

@staticsafe:

I run my own DNS servers, and I have signed all the domains that my registrar(s) allow me to upload a DS/KSK for.

BIND's inline-signing feature <3.

Sadly I'm having to change registrar just to upload my DS records. Most registrars are really dragging their feet on DNSSEC.

BIND managed keys are very nice.

Considering moving my domains to a new registrar for this exact reason. Which domain registrar did you go with in the end? I'm thinking of moving to Gandi.net.

Does Linode support DNSSEC now? A Google search on this turned up documentation stating they don't.

@Malibyte What you've read is correct. We don't currently offer DNSSEC. We don't have an ETA, and we're aware of interest in this feature.

I am trying to set up an IPFS gateway on a subdomain and I cannot do that without DNSSEC.

I have no interest in starting a debate in the pros and cons of DNSSEC but I should very much like to know why Linode seems to be going against the need for greater security and still doesn't offer DNSSEC functionality on its DNS servers.

Why is that?

@pubdirltd We really appreciate you sharing your thoughts with us about DNSSEC. This feature is something that is definitely on our radar. I've included your reply to our internal tracker, and we will be sure to post updates to our blog as we have them.

@rdaniels With all due respect, Linode has been saying the exact same thing for the last two years, to my knowledge, so probably even longer. And that standard answer doesn't answer my question -- why not?

@pubdirltd I think it's become something of a chicken-and-the-egg thing. Last I knew, the support of registrars for DNSSEC is somewhat spotty (most recent review of registrar support for DNSSEC I know of is here, and that's 2.5 years old). If the registrars are only supporting it spottily, I'm not surprised that DNS hosting providers like Linode haven't made it a priority. And I'm not sure how many of Linode's competitors support it either. I know the users over at Digital Ocean are calling for DNSSEC about like they're calling for it here.

FWIW, my domain has DNSSEC, but I did it by running Bind9 on one of my Linodes, and use Linodes' DNS as secondary.

I'll also note that at least Linode lets you use their DNS servers as secondaries(slaves), and their servers are configured to handle DNSSEC in this configuration. By comparison, Digital Ocean doesn't allow using their DNS servers as secondaries. I'm not sure about other competitors.

For those who don't feel comfortable configuring DNS at the command line, there are GUI solutions out there for managing your own DNS server. Webmin will handle this, and a bit of Googling indicates that it does handle DNSSEC.

I'll agree that I'd like to see the Domains section of the Linode Cloud Manager allow configuring DNSSEC on domains, but it's not like you're stuck, unable to use DNSSEC until they do.

All of that is true, of course, but I am a marketing guy so I look at it from a slighly different perspective.

Clearly, Linode and DigitalOcean share much the same customer base. But because Linode takes the attitude that they won't or don't need to provide a platform which is higher specced and more capable than their closest competitors, they end up fighting over the same customer base, and as a result hosting decisions tend to be made for aesthetic and price reasons, in fact for any reasons other than specification and capability.

My take on it is, they only provide DNS because at some level its expected, so they have to.

Personally, because of their attitude to DNSSEC, I now use Cloudflare DNS (not their CDN/network) which is DNSSEC capable, has cname flattening, is free, and is faster than Linode's non DNSSEC, non-cname flattening DNS. Plus they also provide me with a free IPFS gateway.

In fact, Linode told me about 3 years ago they were considering automatic GMail MX record creation and Zone file import. So far, usual story - nada!

What's to like about Linode DNS? Not much.

What's not to like about Cloudflare DNS?

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct