Forgot your password?
typodupeerror
Security Networking The Internet

Ask Slashdot: Which Registrars Support DNSSEC? 70

Posted by timothy
from the are-you-now-or-have-you-ever-been dept.
baerm writes "With GoDaddy being purchased by private equity firms (i.e. it will be sucked dry with service reduction and price increases until it dies) what other Registrars support DNSSEC? GoDaddy is the only registrar I could find that supports DNSSEC for registrees running their own DNS. It was fairly easy to add the Key Signing Keys' DS records to the parent zone using its DNS config. I did find a couple other registrars that were 'testing' DNSSEC or that would support DNSSEC if they ran your DNS. But I couldn't find any other registrars where you could just register, run your own DNS, and use DNSSEC (i.e. with your DS record in your parent zone). That being said, I was only able to research a small percentage of the registrars out there. Does anyone know of registrars, other than GoDaddy, that allow for DNSSEC? That is, registrars that have a method to pass the DS records to the parent zones for their registeree's domains?"
This discussion has been archived. No new comments can be posted.

Ask Slashdot: Which Registrars Support DNSSEC?

Comments Filter:
    • Re:DynDNS does it (Score:4, Informative)

      by chrisgeleven (514645) on Monday July 04, 2011 @04:33PM (#36655338) Homepage

      Yep, we support DNSSEC on .com, .net, .org, .biz, and .se. No need to use us for DNS (although you certainly can, any DynECT Managed DNS products support DNSSEC).

      • by baerm (163918)

        This is good to know. When I looked at dyndns a few months ago, I was unable to find away to upload DS records to my parent. In fact, this appeared to me to be a registrar that would only support DNSSEC if it managed the DNS (which would already put it ahead of most at the time). I'm hoping this is a fairly recent change and it wasn't just my failure to figure it out at the time. I was a bit disappointed too, because I really like dyndns. It seems to me to be one of the more professional registrars (mo

        • We added DNSSEC support for the major TLDs several months ago, sounds like right after you looked. The domain registration page for supported domains will show a section for adding DS records.

      • by Tacvek (948259)

        Your DYNDns.com website does not make it particularly clear that you support DNSSEC on your domain registration product.

        You provide the documentation for setting up DNSSec for a domain on http://www.dyndns.com/support/kb/implementing_dnssec.html [dyndns.com], but you don't mention how to submit the information needed for DS records, so you can submit the DS records to the Registry for inclusion in the TLD zone. That page appears to not have been updated in a while, which is probably why it lacks that information.

        I woul

        • Yeah that DNSSEC page looks very old, I hadn't even realized it existed until now. Thanks for bringing this up. We are working on rewriting docs so I will make sure this gets addressed.

          Once you have a registered domain in your account, for supported TLDs there is a 'DNSSEC DS records' section on your domain registration page.

  • This seems like a good time to start an open-source minded registrar.
    • Re:Hmmmm (Score:4, Interesting)

      by TooMuchToDo (882796) on Monday July 04, 2011 @03:28PM (#36654916)

      Several months ago, I thought about opening a coop model registrar, in the same vein as ARIN or other non-profit resource management organizations, but didn't think there'd be enough demand (IT people would dig it, but not your average joe, who is going to use GoDaddy). How difficult is it to start a registrar?

      • I don't think it would be terribly difficult, but the expense of the whole process tends to dissuade people from trying.

        • Re: (Score:3, Informative)

          by Anonymous Coward

          correct, there is a 2500$ non-refundable fee, plus a 175000$ payment upon approval, plus you must have 70000 extra just in case, plus you must prove that you can run a profitable operation and tons of other impediments.

          ICANN and verizon control everything and they want to keep it that way.

          We are actually thinking about an open source registrar model, but those costs are making it very difficult.

          There is a great market there, ICANN only charges like 23cents a year for the name, godaddy and the rest of the re

          • by Anonymous Coward

            Verizon? You meant VeriSign ;)

          • by TooMuchToDo (882796) on Monday July 04, 2011 @04:33PM (#36655336)

            I run a (substantially) profitable hosting operation with several million dollars in the bank (business accounts, I don't pay myself more than my co-workers/employees).

            So, I can run a profitable operation, the question is, are there enough people willing to purchase domain services from a non-profit?

          • by gpuk (712102)

            Don't forget Verisigns also charge a wholesale fee of $7.34 as the administrator of the .com namespace.

  • by lothos (10657) on Monday July 04, 2011 @03:33PM (#36654964) Homepage

    Name.com and Network Solutions are two of the big, well-known registrars that support DNSSEC. .org was the first to support DNSSEC.

    Here's a list of registrars that support DNSSEC for .org: http://www.pir.org/get/registrars?order=field_dnssec_value&sort=desc [pir.org]

    • by Anonymous Coward

      " .org was the first to support DNSSEC."

      No it wasn't. .SE was the first TLD. .MUSUEM was the first non-ccTLD.

  • by jchawk (127686) on Monday July 04, 2011 @03:35PM (#36654978) Homepage Journal

    I'm not sure why we should immediately assume that GoDaddy will suck just because they were purchased by a private equity firm. GoDaddy had every intention of going public but choose not to because of how they would have had to report their earnings/recognize revenue. From what I remember they would essentially split the revenue of a domain registration out over the life of the domain registration as opposed to immediately upon payment.

    GoDaddy is a cash cow that will likely continue to be a cash cow if they parent firm let's GoDaddy continue to operate in the manner they have done so since they were founded.

    I'm not an investment equity firm but if I were I would look to maximize revenue over as long of a timeline as possible. GoDaddy has no real tangible assets to come in and suck dry like a large manufacture might so sucking the life out really doesn't make a lot of financial sense.

    I've been happy with GoDaddy over the years and will continue to use them until their service slips or their prices get out of control.

    • by HFShadow (530449)

      Wait, godaddy doesn't suck already? I don't see how they could possibly get much worse.

      • I've never used their service, but I do know that I refuse to support any business whose advertising is as dumb and pandering as theirs.
        • by jhoegl (638955)
          I used them through work. Bought an SSL certificate back in the day (2007 I think), and called them up to verify a few things.
          Their people were bright, easy to work with, and answered all of my questions.
          Since then I have had no problems with them except for their busy website.
          • They've been my registrar for the last 6-9 years and other then their website being a bit confusing at times, they've been easy to deal with. I was even impressed that their phone support people were in the States and actually spoke english and they didn't work from a damn script. Knowledgable folks and they solved the problem within minutes plus I got a confirmation email for the trouble ticket

        • by jd2112 (1535857)

          I've never used their service, but I do know that I refuse to support any business whose advertising is as dumb and pandering as theirs.

          I take it you aren't a beer drinker.

          • by adolf (21054)

            The "beer" that is marketed using advertising that is as dumb and pandering as GoDaddy hardly even qualifies as beer, except perhaps in the legal sense of the term.

            Good beer does not typically resort to such tactics. It is often scarcely advertised at all.

          • I've never used their service, but I do know that I refuse to support any business whose advertising is as dumb and pandering as theirs.

            I take it you aren't a beer drinker.

            Actually, I share the same opinion that GoDaddy is crap, and I have used their services on the behalf of others (esp. to transfer the domain away), and I do drink beer. Get a clue, you can enjoy a brew and still scoff at immature and sexist ad campaigns -- What? No nearly naked men? (targeted ads at their finest -- unprofessional meatheads who care more about sex appeal in ads than the services the sex is selling.)

            Picture trying to hide the nearly lude imagery of the GoDaddy site from a client after ha

      • by mcavic (2007672)
        Their site is slow and cumbersome, but I've never actually had any problems. I wouldn't mind switching to DynDNS, but I can't afford them for 30 domains.
    • by Anonymous Coward on Monday July 04, 2011 @03:43PM (#36655052)

      If their service slips does that mean that they'll not longer shill bid on their own domain auctions, improperly block users from transferring domains to other registrars and arbitrary suspend registrants like seclist.org? Anyone who uses GoDaddy as a registrar is ignorant of what they do.

    • by Anonymous Coward

      I'm not sure why we should immediately assume that GoDaddy will suck just because they were purchased by a private equity firm.

      My impression is that private equity in the U.S. can only suck value out of companies. Seen a few and been part of one. Never once had it ended well for customers or the companies itself. The P.E. firms always made out well though.

      Anyone know of a private equity transaction that worked out better for customers?

      • by rbrausse (1319883)

        in 2005 I was intern in subsidiary controlling at a German enterprise; one of the companies was merged with an US-based competitor, financed as a 50/50 deal with the Swedish P.E. firm EQT. what I experienced and heard is not so bad, the investor seems to be long-term interested.

        today the founded company is healthy and still owned by the two founding/financing partners. no hard facts but at least an anecdote :)

    • by biodata (1981610)
      investment equity firm .... long of a timeline

      Do these two things really go together? I thought the game was to have an exit strategy so you could get your money out with a decent return as quickly as possible and find something else to invest in. I am not an equity investment form tho.

    • by Spazmania (174582)

      GoDaddy had every intention of going public but choose not to because of how they would have had to report their earnings/recognize revenue. From what I remember they would essentially split the revenue of a domain registration out over the life of the domain registration as opposed to immediately upon payment.

      Yeah, that's how the GAAP says you do it. http://en.wikipedia.org/wiki/Generally_Accepted_Accounting_Principles [wikipedia.org]

      That's how you avoid a pyramid scheme where the finances fall apart when there's no longe

      • by DarkOx (621550)

        There is nothing stopping a public company from keeping multiple sets of books as well. Yes they have to follow GAAP rules when it comes to any information they make public but they can do revenue recognition however they like to produce their own financial statements for internal decision making.

        Really with computer accounting packages its probably not even much work for anybody. I don't see what the big deal is unless the parent is correct and somebody knows they have real financial problems but the cur

    • by Minwee (522556)
      Because it saves time that way.
  • by EsbenMoseHansen (731150) on Monday July 04, 2011 @03:36PM (#36654990) Homepage

    gratisdns.dk [gratisdns.dk] supports DNSSEC for my humble domains. Some of the pages are in Danish, though :)

  • The Googlefu is clearly not with the poster.

    Name.com shows quite prominently in the first page of results.

    • by baerm (163918)

      My googlefu may be poor. I'd like to think that since I did this a few months ago, it has become more available since then. But it could be that my searching just kind of sucked. I had two problem though. One is that of the places saying they support DNSSEC, I had a very difficult time figuring out what that meant (they'll let you enter records on there site, you can have records in your own DNS (duh), or you can actually upload your DS records to your parent in some fashion). For the most part it looke

  • It would be a good idea to throw both GoDaddy and any other kind of centralized DNS out the window. In the long run, only ad hoc networks will be truly robust. Client-server of any kind is just too frail

  • by leto (8058) on Monday July 04, 2011 @04:24PM (#36655296) Homepage

    I strongly recommend using GKG.net, as they have the best (automated) XML interface that I know of. See their documentation [gkg.net]

    InternetX also has a good interface, but it is a little more complex to get going.

    Those, as well as GoDaddy, which you can only process using ugly web scraping with BeautifulSoup and Mechanize, were the first ones we supported in our DNSSEC Signer product.

    Paul Wouters, DNSSEC Evangelist at Xelerance

    • by jroysdon (201893)

      I second GKG.net [gkg.net]. I've used them for my domains. They were a little slow to add DNSSEC support for some of the gTLDs when each Registry turned up support, but once they added it, I've been in the process of moving domains back.

      The only thing I see is they still don't support dot-MOBI. Not really a big deal, as that TLD domain appears to be a flop (wouldn't you want a mobile domain to be *shorter,* not longer?)

  • pir.org has a long list [pir.org] of registrars that do .org.
  • Gandi.net is in the process of adding DNSSEC support, though I'm not sure how exactly it will work. But they are without a doubt the best domain registrar I've ever found. Far better than GoDaddy. Might be worth waiting. They say it should be completed over the next few months.

  • by Phs2501 (559902)
    As an additional factor, who other than GoDaddy supports both DNSSEC and easy-and-prompt-to-configure IPv6 glue records? I specifically moved from Network Solutions to GoDaddy because it took NetSol weeks to set up my IPv6 glue. (Their interface at the time was "Email us at ipv6req@networksolutions.com and we'll get around to it eventually. Maybe." Maybe they've added it to their admin interface at this point...)
    • who other than GoDaddy supports both DNSSEC and easy-and-prompt-to-configure IPv6 glue records

      Name.com, for one...

    • GKG.net. I chose them originally because they offered IPv6 glue. There was no waiting; it was available as soon as I'd registered my domain name.

  • As I see it, we are handing over control of DNS to "trusted" certificate providers because regular DNS can be poisoned by a rogue DNS operator. Do we really believe that no nameservers with a valid certificate are rogues? Or that certified nameservers won't get compromised? I trust certificate authorities like Verisign to watch over me just like I trusted auditors from PwC when they gave AAA ratings to AIG.

    What's going to happen is that once one nameserver gets compromised, it will be able to send signed

    • The chain of trust is only as long as the number of elements in the domain name. It is already common practice for banks and merchants to use 2nd/3rd-level domains so the chains are very short. I suppose technically your OS is an extra step in the chain (and often the most easy to compromise).

      Once an organization has setup DNSSEC for their domains there are two main vulnerabilities:
      The organization could allow it's private keys to become public and then fail to revoke them. This is smiler to their web-serve

  • We have it designated as "beta" right now, follow the status on http://easydnssec.com/ [easydnssec.com]

    You can sign your zones, etc. What you cannot yet do is submit DS keys to the regsitries directly (we're working on it) - this is a "gotcha" of our using openHRS on our backend and we've been in extensive communications with Tucows about this. We're hoping to have this resolved by end-of-summer.

    In the meantime we are using ISC's DLV as a workaround.

As of next Thursday, UNIX will be flushed in favor of TOPS-10. Please update your programs.

Working...