Simplified problem
I want to buy a domain and make a website that is fully secured with DNSSEC.
I want to make sure that only the one right SSL certificate could be validated by the browsers and all of the rogue SSL certificates or certificates for unqualified names would be rejected.
Where can I buy a domain? Whare should I buy a certificate? (Or should I use a self-signed certificate with DNSSEC instead of CAs?) Where can I host DNS? Which providers make the whole process most convenient, most affordable, most complete, most professional, most robust, most secure?
Background
I've been hearing about the insecurity of DNS for years. I've watched all of the talks by Dan Kaminsky and others from DNS exploits to The future of DNS Security Panel. I knew that using DNS without security is a disaster waiting to happen. I followed the development of the DNSSEC standard. I celebrated the key signing ceremony.
Meanwhile I read about Thousands of SSL Certs Issued To Unqualified Names and Rogue SSL Certs Issued For CIA, MI6, Mossad and many other stories like that showing problems with the current implementation of websites secured with SSL that could be solved by DNSSEC (see: A Major Internet Milestone: DNSSEC and SSL and DNSSEC to fix the SSL mess? and SSL certificate validation and DNSSEC). Everything was on the right track to finally have a secure DNS system in place.
And now more than 2 years later I wanted to just do what everyone said I should do: use DNSSEC for a new domain. So I need a domain registrar and a DNS hosting service that supports DNSSEC. Surprisingly it is not that easy to even find out who does support DNSSEC and to what extent. It was actually much easier to find info on DNSSEC two years ago when everyone was going to support DNSSEC Real Soon Now but now years passed and I hardly see any progress done. I just hope that I was just looking in the wrong places and someone here will kindly explain all of the doubts.
I hope that other people who want to have a secure website will also find this question useful.
What is needed
- registrar and DNS servers with full DNSSEC support for
.comdomains - integration of DNSSEC with SSL certificates
What is not needed
- IPv6 support
- Web hosting
- anything more
What I found out so far
- Go Daddy offers Premium DNS service for additional $36 per year that lets you "Secure up to 5 domains with DNSSEC".
- easyDNS has DNSSEC available in Beta across all service levels (you need to enable the "beta" flag in configuration) but it doesn't seem to be production ready and judging from the lack of updates it isn't a feature of highest priority (the last update from March 2011 on the easyDNS blog).
- Name.com - according to The Register (US domain registrar does IPv6, DNSSEC) it has DNSSEC support since 2010 but right now (October 2012) I couldn't find anything related to DNSSEC on their website.
- Dynadot that is very often recommended doesn't support DNSSEC
- Namecheap that is also often recommended doesn't support DNSSEC. The support answer from 2011 suggested that it was being added but in 2012 still no ETA is given to customers.
- DynDNS was supposed to support DNSSEC, I found a link explaining DNSSEC support but it gives 404 Not Found page and offers a search box - when searching for DNSSEC I get "No results were found for your query."
- GKG was recommended online for DNSSEC support but it's hard to find any information on the level of DNSSEC support - there is a brief explanation on what is DNSSEC and how to sign Delegation Signer records in their FAQ but no information about the level of actual support can be found.
- Ask Slashdot: Which Registrars Support DNSSEC? from July 2011 - Answers list Go Daddy, DynDNS, GKG, Name.com as registrars that support DNSSEC but: see above.
- Registrars that support end user DNSSEC management, including entry of DS records by ICANN (thanks to Rob for reminding me about it) - the problem with this list is that the level of support is unknown, the fact whether you have to pay for DNSSEC additional fees is not mentioned, let alone the convenience of buying, configuring and hosting domains fully secured with DNSSEC and SSL.
- List of .ORG Registrars who have passed OT&E for DNSSEC published by the Public Interest Registry - a lot of registrars but they are listed for
.orgTLD support and as they say: "This does not indicate whether the registrar has enabled a DNSSEC service for the registrants. Please contact the registrars directly for their DNSSEC service." - How To Secure And Sign Your Domain With DNSSEC Using Domain Registrars by the Internet Society (thanks to Nick for pointing it out) currently lists only two that support
.comTLD on the list of "Registrars Supporting DNSSEC For Registration and Hosting" ie. Go Daddy (with an additional fee of $36/year) and Dyn (with an additional fee of $330/year). See How To Sign Your Domain With DNSSEC Using Dyn, Inc and How To Sign Your Domain With DNSSEC Using GoDaddy.com for details.
Related questions
- How to find web hosting that meets my requirements?
- What is needed to add DNSSEC to my site?
- DNS hosting better managed by Domain provider or Hosting provider?
- Registrar with good security, DNS hosting, and DNSSEC and IPv6 resolvers?
In no. 1 no one is ever mentioning DNS at all.
In no. 2 answers only mention the .se TLD, there are very few answers and they seem very outdated.
In no. 3 one answer says "On projects that demand higher security, I might look for a web host that supports DNSSEC" but no more information is provided.
The only relevant answers are in no. 4 where easyDNS is recommended by someone who has never used them personally. Meanwhile, as of October 2012, the support of DNSSEC is described as "in beta" on the easyDNS feature list. Another one recommends SiteGround but searching their site for DNSSEC returns no results. Other answers recommend web hosting providers that don't meet the requirement of DNSSEC support. Also the question mentioned above lists 9 very specific requirements other than only DNSSEC (like eg. HTTP-only login cookies, two-factor authentications, no DNS record limits, DNS statistics of queries/day, audit trails etc.) which might have excluded many possible recommendations if one is only interested in DNSSEC support.
Conclusions
Is it possible that the pioneer of DNSSEC adoption would be Go Daddy and all of the "expert" DNS services are not ready yet?
I thought that by the end of 2012 the support of DNSSEC among domain registrars and DNS providers would be nearly universal. I am shocked that the support seems virtually nonexistent. Is this a result of some serious problems with the DNSSEC adoption? Or is it just not a hot topic and no one bothers anymore? According to the DNSSEC Scoreboard roughly about 0.1% of .com domains support DNSSEC. Could that be caused by the lack of DNSSEC support among registrars and DNS providers, is the information too hard to find or maybe no one cares? There is even no "dnssec" tag here.
Summary
The information is surprisingly hard to find. That is why I am asking for first-hand experience and personal recommendations.
Has anyone here actually set up a website with DNSSEC, from the domain registration to the configuration of DNS servers, to actually having a working website that is fully secured with DNSSEC?
Has anyone successfully integrated DNSSEC with SSL certificates to make sure that only the one right certificate could be validated by the browser and all of the rogue SSL certificates or certificates for unqualified names would be rejected?
Can anyone recommend any of the registrars mentioned above?
Can anyone recommend any registrar not mentioned above?
Any good experience? Bad experience?
