Ask Slashdot: Which Registrars Support DNSSEC? 70
baerm writes "With GoDaddy being purchased by private equity firms (i.e. it will be sucked dry with service reduction and price increases until it dies) what other Registrars support DNSSEC? GoDaddy is the only registrar I could find that supports DNSSEC for registrees running their own DNS. It was fairly easy to add the Key Signing Keys' DS records to the parent zone using its DNS config. I did find a couple other registrars that were 'testing' DNSSEC or that would support DNSSEC if they ran your DNS. But I couldn't find any other registrars where you could just register, run your own DNS, and use DNSSEC (i.e. with your DS record in your parent zone). That being said, I was only able to research a small percentage of the registrars out there. Does anyone know of registrars, other than GoDaddy, that allow for DNSSEC? That is, registrars that have a method to pass the DS records to the parent zones for their registeree's domains?"
Comment removed (Score:3, Informative)
Re: (Score:2)
"How do I put my actual name on the domain instead of your hidden service?"
Your question stumped me too until I thought of it for a while and figured out you are _probably_ talking about WHOIS data and private domain regisration. If so, if you ask Google/Godaddy that way, they should be able to give you a straight answer.
Or are you seriously asking how to replace their generic parked domain webpage with your own website? If so, then I don't know what to tell you.
Re: (Score:1)
GoDaddy = the worst in the world.
I once worked with a guy who had their irritating "GoDaddy! GoDaddy! who's your daddy" jingle as his ringtone. I suspected he might have been a paedophile.
Re: (Score:2)
I dunno (Score:2)
my ringtone's primary function is to wake me up or get my attention..
my kids crying would do a great job.. the only problem I really perceive is I might be standing in his bedroom half asleep consoling him over my shoulder while my cellphone carries on on the nightstand...
Re:DynDNS does it (Score:4, Informative)
Yep, we support DNSSEC on .com, .net, .org, .biz, and .se. No need to use us for DNS (although you certainly can, any DynECT Managed DNS products support DNSSEC).
Re: (Score:1)
This is good to know. When I looked at dyndns a few months ago, I was unable to find away to upload DS records to my parent. In fact, this appeared to me to be a registrar that would only support DNSSEC if it managed the DNS (which would already put it ahead of most at the time). I'm hoping this is a fairly recent change and it wasn't just my failure to figure it out at the time. I was a bit disappointed too, because I really like dyndns. It seems to me to be one of the more professional registrars (mo
Re: (Score:2)
We added DNSSEC support for the major TLDs several months ago, sounds like right after you looked. The domain registration page for supported domains will show a section for adding DS records.
Re: (Score:2)
Your DYNDns.com website does not make it particularly clear that you support DNSSEC on your domain registration product.
You provide the documentation for setting up DNSSec for a domain on http://www.dyndns.com/support/kb/implementing_dnssec.html [dyndns.com], but you don't mention how to submit the information needed for DS records, so you can submit the DS records to the Registry for inclusion in the TLD zone. That page appears to not have been updated in a while, which is probably why it lacks that information.
I woul
Re: (Score:2)
Yeah that DNSSEC page looks very old, I hadn't even realized it existed until now. Thanks for bringing this up. We are working on rewriting docs so I will make sure this gets addressed.
Once you have a registered domain in your account, for supported TLDs there is a 'DNSSEC DS records' section on your domain registration page.
Hmmmm (Score:2)
Re:Hmmmm (Score:4, Interesting)
Several months ago, I thought about opening a coop model registrar, in the same vein as ARIN or other non-profit resource management organizations, but didn't think there'd be enough demand (IT people would dig it, but not your average joe, who is going to use GoDaddy). How difficult is it to start a registrar?
It's expensive.. (Score:1)
I don't think it would be terribly difficult, but the expense of the whole process tends to dissuade people from trying.
Re: (Score:3, Informative)
correct, there is a 2500$ non-refundable fee, plus a 175000$ payment upon approval, plus you must have 70000 extra just in case, plus you must prove that you can run a profitable operation and tons of other impediments.
ICANN and verizon control everything and they want to keep it that way.
We are actually thinking about an open source registrar model, but those costs are making it very difficult.
There is a great market there, ICANN only charges like 23cents a year for the name, godaddy and the rest of the re
Re: (Score:1)
Verizon? You meant VeriSign ;)
Re:It's expensive.. (Score:4, Insightful)
I run a (substantially) profitable hosting operation with several million dollars in the bank (business accounts, I don't pay myself more than my co-workers/employees).
So, I can run a profitable operation, the question is, are there enough people willing to purchase domain services from a non-profit?
Re: (Score:2)
My point is I *want* to run it as a non-profit organization, similar to Wikipedia. I take in enough money to pay for servers, developers, etc. and keep prices as low as possible, since I have no shareholders demanding their pound of flesh.
Re: (Score:2)
I work for a domain registrar. It's possible to run a registrar as a low cost service, but it's purely a volume business.
In fact, the only way you can run a registrar is by pushing volumes and that needs low prices.
Re: (Score:2)
That's what I assumed. You're looking at a Wal-Mart model, with an extremely slim margin per domain purchased.
Re: (Score:2)
Don't forget Verisigns also charge a wholesale fee of $7.34 as the administrator of the .com namespace.
Re: (Score:2)
The www may not be "required" but it's much more difficult to run a reliable site without it since you then can't use CNAME records to cheaply eliminate a single point of failure.
There's more to the internet than the web, remember.
Re: (Score:2)
Registrars that support DNSSEC (Score:5, Informative)
Name.com and Network Solutions are two of the big, well-known registrars that support DNSSEC. .org was the first to support DNSSEC.
Here's a list of registrars that support DNSSEC for .org: http://www.pir.org/get/registrars?order=field_dnssec_value&sort=desc [pir.org]
Re: (Score:1)
" .org was the first to support DNSSEC."
No it wasn't. .SE was the first TLD. .MUSUEM was the first non-ccTLD.
Why do we immediately assume GoDaddy will suck? (Score:3, Interesting)
I'm not sure why we should immediately assume that GoDaddy will suck just because they were purchased by a private equity firm. GoDaddy had every intention of going public but choose not to because of how they would have had to report their earnings/recognize revenue. From what I remember they would essentially split the revenue of a domain registration out over the life of the domain registration as opposed to immediately upon payment.
GoDaddy is a cash cow that will likely continue to be a cash cow if they parent firm let's GoDaddy continue to operate in the manner they have done so since they were founded.
I'm not an investment equity firm but if I were I would look to maximize revenue over as long of a timeline as possible. GoDaddy has no real tangible assets to come in and suck dry like a large manufacture might so sucking the life out really doesn't make a lot of financial sense.
I've been happy with GoDaddy over the years and will continue to use them until their service slips or their prices get out of control.
Re: (Score:3)
Wait, godaddy doesn't suck already? I don't see how they could possibly get much worse.
Re: (Score:2)
Re: (Score:2)
Their people were bright, easy to work with, and answered all of my questions.
Since then I have had no problems with them except for their busy website.
Re: (Score:2)
They've been my registrar for the last 6-9 years and other then their website being a bit confusing at times, they've been easy to deal with. I was even impressed that their phone support people were in the States and actually spoke english and they didn't work from a damn script. Knowledgable folks and they solved the problem within minutes plus I got a confirmation email for the trouble ticket
Re: (Score:2)
I've never used their service, but I do know that I refuse to support any business whose advertising is as dumb and pandering as theirs.
I take it you aren't a beer drinker.
Re: (Score:2)
The "beer" that is marketed using advertising that is as dumb and pandering as GoDaddy hardly even qualifies as beer, except perhaps in the legal sense of the term.
Good beer does not typically resort to such tactics. It is often scarcely advertised at all.
Re: (Score:2)
I've never used their service, but I do know that I refuse to support any business whose advertising is as dumb and pandering as theirs.
I take it you aren't a beer drinker.
Actually, I share the same opinion that GoDaddy is crap, and I have used their services on the behalf of others (esp. to transfer the domain away), and I do drink beer. Get a clue, you can enjoy a brew and still scoff at immature and sexist ad campaigns -- What? No nearly naked men? (targeted ads at their finest -- unprofessional meatheads who care more about sex appeal in ads than the services the sex is selling.)
Picture trying to hide the nearly lude imagery of the GoDaddy site from a client after ha
Re: (Score:1)
Re:Why do we immediately assume GoDaddy will suck? (Score:4, Informative)
If their service slips does that mean that they'll not longer shill bid on their own domain auctions, improperly block users from transferring domains to other registrars and arbitrary suspend registrants like seclist.org? Anyone who uses GoDaddy as a registrar is ignorant of what they do.
Re: (Score:1)
I'm not sure why we should immediately assume that GoDaddy will suck just because they were purchased by a private equity firm.
My impression is that private equity in the U.S. can only suck value out of companies. Seen a few and been part of one. Never once had it ended well for customers or the companies itself. The P.E. firms always made out well though.
Anyone know of a private equity transaction that worked out better for customers?
Re: (Score:2)
in 2005 I was intern in subsidiary controlling at a German enterprise; one of the companies was merged with an US-based competitor, financed as a 50/50 deal with the Swedish P.E. firm EQT. what I experienced and heard is not so bad, the investor seems to be long-term interested.
today the founded company is healthy and still owned by the two founding/financing partners. no hard facts but at least an anecdote :)
Re: (Score:1)
Do these two things really go together? I thought the game was to have an exit strategy so you could get your money out with a decent return as quickly as possible and find something else to invest in. I am not an equity investment form tho.
Re: (Score:2)
GoDaddy had every intention of going public but choose not to because of how they would have had to report their earnings/recognize revenue. From what I remember they would essentially split the revenue of a domain registration out over the life of the domain registration as opposed to immediately upon payment.
Yeah, that's how the GAAP says you do it. http://en.wikipedia.org/wiki/Generally_Accepted_Accounting_Principles [wikipedia.org]
That's how you avoid a pyramid scheme where the finances fall apart when there's no longe
Re: (Score:2)
There is nothing stopping a public company from keeping multiple sets of books as well. Yes they have to follow GAAP rules when it comes to any information they make public but they can do revenue recognition however they like to produce their own financial statements for internal decision making.
Really with computer accounting packages its probably not even much work for anybody. I don't see what the big deal is unless the parent is correct and somebody knows they have real financial problems but the cur
Re: (Score:2)
Gratisdns (Score:3)
gratisdns.dk [gratisdns.dk] supports DNSSEC for my humble domains. Some of the pages are in Danish, though :)
Google it (Score:2)
The Googlefu is clearly not with the poster.
Name.com shows quite prominently in the first page of results.
Re: (Score:1)
My googlefu may be poor. I'd like to think that since I did this a few months ago, it has become more available since then. But it could be that my searching just kind of sucked. I had two problem though. One is that of the places saying they support DNSSEC, I had a very difficult time figuring out what that meant (they'll let you enter records on there site, you can have records in your own DNS (duh), or you can actually upload your DS records to your parent in some fashion). For the most part it looke
I remember numbers better than names (Score:1)
It would be a good idea to throw both GoDaddy and any other kind of centralized DNS out the window. In the long run, only ad hoc networks will be truly robust. Client-server of any kind is just too frail
GKG and InternetX support DNSSEC (Score:4, Informative)
I strongly recommend using GKG.net, as they have the best (automated) XML interface that I know of. See their documentation [gkg.net]
InternetX also has a good interface, but it is a little more complex to get going.
Those, as well as GoDaddy, which you can only process using ugly web scraping with BeautifulSoup and Mechanize, were the first ones we supported in our DNSSEC Signer product.
Paul Wouters, DNSSEC Evangelist at Xelerance
Re: (Score:2)
I second GKG.net [gkg.net]. I've used them for my domains. They were a little slow to add DNSSEC support for some of the gTLDs when each Registry turned up support, but once they added it, I've been in the process of moving domains back.
The only thing I see is they still don't support dot-MOBI. Not really a big deal, as that TLD domain appears to be a flop (wouldn't you want a mobile domain to be *shorter,* not longer?)
Re: (Score:2)
Yes. I was working through the Tunnelbroker.net "IPv6 Certification" exercises, and needed a registrar that offered IPv6 glue. GKG.net was at the top of a list of alternatives to GoDaddy.com that offered IPv6 glue.
Here's a list for .org (Score:2)
Coming soon to Gandi (Score:2)
Gandi.net is in the process of adding DNSSEC support, though I'm not sure how exactly it will work. But they are without a doubt the best domain registrar I've ever found. Far better than GoDaddy. Might be worth waiting. They say it should be completed over the next few months.
IPv6 (Score:2)
Re: (Score:1)
who other than GoDaddy supports both DNSSEC and easy-and-prompt-to-configure IPv6 glue records
Name.com, for one...
Re: (Score:2)
GKG.net. I chose them originally because they offered IPv6 glue. There was no waiting; it was available as soon as I'd registered my domain name.
Re: (Score:2)
About 30,581,796 domains at time of this post.
http://www.dailychanges.com/ [dailychanges.com]
Why DNSSEC? (Score:2)
As I see it, we are handing over control of DNS to "trusted" certificate providers because regular DNS can be poisoned by a rogue DNS operator. Do we really believe that no nameservers with a valid certificate are rogues? Or that certified nameservers won't get compromised? I trust certificate authorities like Verisign to watch over me just like I trusted auditors from PwC when they gave AAA ratings to AIG.
What's going to happen is that once one nameserver gets compromised, it will be able to send signed
Re: (Score:2)
The chain of trust is only as long as the number of elements in the domain name. It is already common practice for banks and merchants to use 2nd/3rd-level domains so the chains are very short. I suppose technically your OS is an extra step in the chain (and often the most easy to compromise).
Once an organization has setup DNSSEC for their domains there are two main vulnerabilities:
The organization could allow it's private keys to become public and then fail to revoke them. This is smiler to their web-serve
easyDNS support (Score:1)
We have it designated as "beta" right now, follow the status on http://easydnssec.com/ [easydnssec.com]
You can sign your zones, etc. What you cannot yet do is submit DS keys to the regsitries directly (we're working on it) - this is a "gotcha" of our using openHRS on our backend and we've been in extensive communications with Tucows about this. We're hoping to have this resolved by end-of-summer.
In the meantime we are using ISC's DLV as a workaround.