Who is running DNSSEC domains, using validation for thier dns?


DNSSEC  

6 members have voted

  1. 1. Do you have any domains that are dnssec compliant?

    • Yes, all of them
    • Yes, at least 1 of the multiple domains is using it
    • Working on getting there
    • No
    • What is DNSSEC?
      0
  2. 2. My dns be it a forwarder or resolver allows me to do dnssec validation

    • Yes
    • No
    • What is a resolver? how does that play with dnssec?
      0


Recommended Posts

So I don't really have any domains with any sort of real traffic or any real importance to me or any users, etc.  I wouldn't say I have any sort of personal sites that I would call production.  They are all for my own amusement and testing/playing.  But got a bug up my ass on how fast could setup full ipv6 supported site with dnssec.

 

I was a bit disappointed that my registrar didn't support dnssec (namecheap).  They have mention of it in their forums, etc. and guess its on their radar.  But not yet ready?  Do believe in 2013 icann made it so to be accredited you have to have dnssec support..

 

So found dynadot, they have it, and with support for my tlds of my other domains .net, .info, .ws, .pw .xyz   (might have to transfer to them so all domains can have dnssec) So gave it a test run and fired up new domain.  I had a host I know has ipv6 since have had a few sites on ipv6 for a while.  So just needed to setup dnssec, but seems while dynadot allows you to upload your DS records, seems the dns they provide you when you register a domain doesn't have dnssec.  WTF??  My webhost dreamhost doesn't have it either, again working on it.  HE doesn't yet support it..

 

So, ok figured this is just a test - I will setup bind on a couple of vps I have and sweet - but 2 of the 3 vps companies don't have ipv6..  But 1 does, so I ordered a second vps on that one.  So while it took me a bit longer than 15 minutes I did get done with not too much effort.  But very disappointed in both the ipv6 support and for sure dnssec dns providers and registrars.

 

And dnyadot seems to have an issue with the putting in the SHA-256 DS.. Have a ticket open with them.. So the domain only has 1 DS, but it passes all tests.

 

So that made me curious how many people are setting up dnssec for their domains?  Who is providing the dns, what registrar?

 

Also curious if your using it at home/work to resolve domains.. You can do a simple test here Tell you protected or not protected..

Link to comment
Share on other sites

I tried running Unbound as my local resolver, but the system I ran it on (An OpenWRT router) didn't have much memory so often it'd just stop responding. Since then I moved ISPs and my current one has private CDNs that they provide by hijacking certain DNS entries, which conflicts with it a bit (And their normal DNS server doesn't do DNSSEC at all, so I'd have to run a recursive resolver, or a hybrid setup, either way not worth it)

I like the idea behind DNSSEC, but in practise it's pretty awful. That said DNS itself is pretty badly implemented (I just found out today my local resolver mishandles the ANY query, etc.)

Link to comment
Share on other sites

I have problem with my ISP actually done some transparent DNS proxy filtering, DNSSEC doesn't help user in this case,

especially if that ISP is the only ISP in my current work area, that is until I move to another location.

 

Thankfully DNSCurve solves my problem.

Link to comment
Share on other sites

I've implemented DNSSEC in a production environment, seems to work OK. 

 

It was only configured because the client was pretty anal with their requirements. 

 

DNSSEC and NPS are probably the 2 technologies I've only implemented a handful of times, otherwise it's too much screwing around.

Link to comment
Share on other sites

You can validate dnssec domains here..  But lets take a look at what nonsense steve is up too with is check.

 

http://dnssec-debugger.verisignlabs.com/

 

edit:  oh that is just his normal dns lets query ###### and then tell the user this dns server is faster, etc..

 

if you want a simple place to see if what your using is doing dnssec just go here http://dnssectest.sidnlabs.nl/test.php

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.