DNSSEC is wonderful

DNSSEC is very cool. It secures DNS preventing cache poisoning attacks and it allows you to generate trustworthy SSL certificates bound to your domain name at zero cost. We all hate the snake oil SSL certificate sellers don't we?

I look around and nobody using DNSSEC yet. Why? Use it people, it's great!

For an easy introduction I recommend this book:

https://www.michaelwlucas.com/nonfiction/dnssec-mastery

Or… Does nobody run their own DNS servers anymore?

23 Replies

@sednet:

Or… Does nobody run their own DNS servers anymore?

+1

@hoopycat:

@sednet:

Or… Does nobody run their own DNS servers anymore?

+1

I run my own DNS servers, and I have signed all the domains that my registrar(s) allow me to upload a DS/KSK for.

BIND's inline-signing feature <3.

@staticsafe:

I run my own DNS servers, and I have signed all the domains that my registrar(s) allow me to upload a DS/KSK for.

BIND's inline-signing feature <3.

Sadly I'm having to change registrar just to upload my DS records. Most registrars are really dragging their feet on DNSSEC.

BIND managed keys are very nice.

@sednet:

@staticsafe:

I run my own DNS servers, and I have signed all the domains that my registrar(s) allow me to upload a DS/KSK for.

BIND's inline-signing feature <3.

Sadly I'm having to change registrar just to upload my DS records. Most registrars are really dragging their feet on DNSSEC.

BIND managed keys are very nice.

Considering moving my domains to a new registrar for this exact reason. Which domain registrar did you go with in the end? I'm thinking of moving to Gandi.net.

Does Linode support DNSSEC now? A Google search on this turned up documentation stating they don't.

@Malibyte What you've read is correct. We don't currently offer DNSSEC. We don't have an ETA, and we're aware of interest in this feature.

I am trying to set up an IPFS gateway on a subdomain and I cannot do that without DNSSEC.

I have no interest in starting a debate in the pros and cons of DNSSEC but I should very much like to know why Linode seems to be going against the need for greater security and still doesn't offer DNSSEC functionality on its DNS servers.

Why is that?

@pubdirltd We really appreciate you sharing your thoughts with us about DNSSEC. This feature is something that is definitely on our radar. I've included your reply to our internal tracker, and we will be sure to post updates to our blog as we have them.

@rdaniels With all due respect, Linode has been saying the exact same thing for the last two years, to my knowledge, so probably even longer. And that standard answer doesn't answer my question -- why not?

@pubdirltd I think it's become something of a chicken-and-the-egg thing. Last I knew, the support of registrars for DNSSEC is somewhat spotty (most recent review of registrar support for DNSSEC I know of is here, and that's 2.5 years old). If the registrars are only supporting it spottily, I'm not surprised that DNS hosting providers like Linode haven't made it a priority. And I'm not sure how many of Linode's competitors support it either. I know the users over at Digital Ocean are calling for DNSSEC about like they're calling for it here.

FWIW, my domain has DNSSEC, but I did it by running Bind9 on one of my Linodes, and use Linodes' DNS as secondary.

I'll also note that at least Linode lets you use their DNS servers as secondaries(slaves), and their servers are configured to handle DNSSEC in this configuration. By comparison, Digital Ocean doesn't allow using their DNS servers as secondaries. I'm not sure about other competitors.

For those who don't feel comfortable configuring DNS at the command line, there are GUI solutions out there for managing your own DNS server. Webmin will handle this, and a bit of Googling indicates that it does handle DNSSEC.

I'll agree that I'd like to see the Domains section of the Linode Cloud Manager allow configuring DNSSEC on domains, but it's not like you're stuck, unable to use DNSSEC until they do.

All of that is true, of course, but I am a marketing guy so I look at it from a slighly different perspective.

Clearly, Linode and DigitalOcean share much the same customer base. But because Linode takes the attitude that they won't or don't need to provide a platform which is higher specced and more capable than their closest competitors, they end up fighting over the same customer base, and as a result hosting decisions tend to be made for aesthetic and price reasons, in fact for any reasons other than specification and capability.

My take on it is, they only provide DNS because at some level its expected, so they have to.

Personally, because of their attitude to DNSSEC, I now use Cloudflare DNS (not their CDN/network) which is DNSSEC capable, has cname flattening, is free, and is faster than Linode's non DNSSEC, non-cname flattening DNS. Plus they also provide me with a free IPFS gateway.

In fact, Linode told me about 3 years ago they were considering automatic GMail MX record creation and Zone file import. So far, usual story - nada!

What's to like about Linode DNS? Not much.

What's not to like about Cloudflare DNS?

+1 for DNSSEC, please. I want to implement it on some of my domains, but I really don't want to have to move away from Linode DNS since it's really nice to have everything in the Linode Cloud Manager).

@Oloryn Very glad to hear that about Linode secondary DNS being compatible with DNSSEC. I'm doing something similar here, with a Linode acting as a stealth primary. Now to look into what I need to do to configure it…

+1 for DNSSEC can we have an eta for this feature…

+1 for Linode to support DNSSEC.
I'm setting up my own authoritative nameserver and implementing DNSSEC. Would it great if Linode supported DNSSEC so I could then make use of a DNSSEC-aware secondary available in the domains tab of linode manager.

Thanks everyone for adding your voice to this request. We don't have an ETA on this feature to share, but I wanted to let you all know that we've received your requests. We'll be sure to make an announcement on our blog if we have more news to share.

https://www.linode.com/blog/

+1 need DNSSEC in order to use ENS with a .com name.

please put it in your todo list for Q1 2022 and be the first independent cloud provider to do the right thing and implement this decade old internet standard

as of today, not implementing dnssec is like not implementing ipv6. you can provide excuses, but they don't stand

How that's possible the so requested feature is not implemented yet? Even more - is it ok to have the same "noted, no ETA" answer literally for YEARS?

That's kinda first time I really disappointed in Linode services :(
Without DNSSEC I can't bind my domain to ENS!

Was considering moving my DNS off Linode to my registrar (Mythic Beasts) to keep it all in one place.
The lack of DNSSEC from Linode (and any public roadmap) has now made the decision for me. Probably be the first step in migrating off Linode - more because the cost is getting harder to justify now I'm not selling any services, and retirement income lower!!

I, too, would like it if Linode supported DNSSEC and provided the necessary records as an option for any domain zone hosted there.

Is there any status update on this?

Still looking for DNSSEC to be supported by Linode's DNS service.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct