I'm looking for a registrar with DNSSEC support, preferably one with the freedom to add my own arbitrary RRs, as opposed to being bound to only a select few types of RRs. It'd also be nice to create my own signing keys and algorithms and sending my TLD my own DS RR, so it'd be awesome to use my own authoritative name server for my domain.
Any recommendations? Is it possible to use your own authoritative name server, and just pay for the domain name registration and delegation?
Shameless bump.
>>53584727
>Is it possible to use your own authoritative name server, and just pay for the domain name registration and delegation?
Why wouldn't it be? That's what I do, just set yourself up as the nameserver.
Still need to find something with DNSSEC support but
>thinking DNSSEC is any less secure than regular DNS
>>53585696
Thanks for your reply, but I'm not sure I'm able to upload my DS RR to my TLD. Do I have to contact my registrar or ICANN for this?
>>53585747
Well, with the example of namecheap, I just choose “Custom DNS” when it asks me what nameservers I'd like to use and point it at the existing record of my NS (e.g. ns.example.com).
(ns.example.com has static A and AAAA records that points directly at my IP)
>>53585905
Forgot to add:
The net result of this is that namecheap installs a SOA record for my domain which points towards ns.example.com as the authoritative NS for this zone.
>>53585916
Right, that's how it's done with normal DNS, but for a DNSSEC chain of trust you also need an aditional DS RR in the authoritative zone of the parent domain, the TLD in my case.
I'll send my registrar a message if this can be done because I haven't found this in their administration panel.
>>53585905
>>53585916
Oh, and if you want your NS to be a subdomain of the actual domain you're registering, your registrar also needs to support glue records, so they can directly resolve ns.example.com.
NameCheap supportst his feature, but only for ns1, ns2, ns3...ns9 and dns1..dns3 subdomains.
>>53585963
Oh, okay. I thought you were asking about DNS 101 here.
Again,
>DNSSEC
Completely overrated and worthless feature that will only serve to make you subconsciously believe that anything has changed.
>>53585977
DNSSEC complicates things a little bit, but luckily it doesn't change anything; it's an extension to DNS, as I'm sure we'll both agree on.
But with
>DNSSEC is completely overrated and worthless
I'm to have to disagree with. DNSSEC adds integrity to all queries, which is very useful to guarantee the queries haven't been tampered with. It's also necessary when you want to use, for example, TLSA (DANE) or SSHFP RRs.
>>53586062
>DNSSEC adds integrity to all queries, which is very useful to guarantee the queries haven't been tampered with.
Unless they can fake the chain, which is easy for a TLA to do with the design of DNSSEC.
>TLSA/DANE
Is meaningless. If they can fake your X.509 chain of trust, they can fake your DNSSEC chain of trust.
But don't just take my word for it
http://sockpuppet.org/blog/2015/01/15/against-dnssec/
http://www.theregister.co.uk/2015/03/18/is_the_dns_security_protocol_a_waste_of_everyones_time_and_money/
https://cr.yp.to/talks.html#2009.08.11
tl;dr use DNSCurve if you care.
>>53586249
>>DNSSEC adds integrity to all queries, which is very useful to guarantee the queries haven't been tampered with.
>Unless they can fake the chain, which is easy for a TLA to do with the design of DNSSEC.
I doubt they can fake the chain if you have your own authoritative name server, create your own keys, send your parent domain your DS, and resolve all queries using your own DNSSEC resolver with the root key trust anchor.
>>TLSA/DANE
>Is meaningless. If they can fake your X.509 chain of trust, they can fake your DNSSEC chain of trust.
They could only do that, in theory, when your registrar is also the same party you use for your X.509 certificate signing. Using DANE you could use your self signed certificate.
>But don't just take my word for it
>http://sockpuppet.org/blog/2015/01/15/against-dnssec/
Wait, this one argues two different technologies. DNSSEC is an autonomous entity, just like TLS. Both can complement each other for authentic lookup and secure communication. Without DNSSEC, I could spoof your DNS request to point to my own server with a valid certificate which I signed by a trusted CA.
>http://www.theregister.co.uk/2015/03/18/is_the_dns_security_protocol_a_waste_of_everyones_time_and_money/
And this one simply asserts that it's too difficult and costly, which is not true. Every authoritative name server implementation supports DNSSEC nowadays, and you could even choose a proper ECC signing algorithm or curve (like ECDSA, or EdDSA for Edwards Ed25519 curve) that offers strong cryptography, while also less computational intensive that regular RSA.
>https://cr.yp.to/talks.html#2009.08.11
>tl;dr use DNSCurve if you care.
That's partially true. djb's DNSCurve only adds confidentiality to the added integrity like DNSSEC does.
