The sorry state of dns hosters – or why i went diy

frustratingBind is a strange piece of software but if you need to route then it or the other dns software things are needed.

Dnssec awareness brings a a new level to dns hosting, some cannot do stats but others can, or dont offer tlsa or sshp records including google*.  Another dns supplier problem is support for large dkim keys (my blog).  I found a good dns supplier but having stats for the first time, and being able to have 4096 signed messages i decided to go the homebrew route and host it myself after a month.

you see a lot of this

you see a lot of this

Dnssec does not exist in the real world – wordpress (here) does not have it, although it is a question of non support, or an unwillingness to set it up

I liked my paid supplier but it seems i could do it myself and dnssec signing as well at no cost, so i switched some domains to my local bind server.  After a few moments with dns syntax one went across and appears to work, and then an hour later another went across, I did not have dnssec yet but i appear to be able to generate keys with haveged (my blog) .

That still leaves the others on paid dns hosting to migrate, but i have fail2ban (my blog) on the case for security, and a mallet (my blog)  It all goes well i switch on dnssec and see if it works like it does on paid hosting within a week, then in a few days those other zones might come home.

Moving .eu  domains is a breeze provided you dont make a name typo, a mistake i did on the second domain, the first went with no user issues then the second i learnt a lot from.  In bind and webmin (my blog) zones and zonesigning are put into /var/lib/bind on debian (my blog) and since i now know the number of queries i am quite happy to do it myself.  I also happy using vi so its not all gui.  Grepping is important since webmin is a bit temperamental.

The keys into the registry is something i covered here (my blog)  so in one day i had three domains migrated, two working, and one with dnssec issues.


basic dnssec

Dnssec is not flawless at key migrations and so you will loose the green bar or at least that’s a real world experience for me the dnssec newbie.  Maybe theres a way to do that with zones reloading per minute but eventually a paid zone switched from no dnssec or invalid to the new green and working dnssec.

I had issues with .com dnssec keys which i again I  was doing something wrong until i started afresh the next day and got to work It would be nice if the dsset file was used by webmin rather than the keys.

I have learnt a lot more doing it all rather than farming it out. And since i had to fix it as they where my errors made for a interesting time.

dixionsemployeeBind stats are a royal pain in the arse, appended rather than overwritten so thats either a script or a creative cli command as a cron job.

I see why bind is not liked, but for all its issues is accomplished at what it does.

My last paid zone i recreated and checked and i will switching it within a couple of days since nobody notices dnssec except me i expect little trouble.

dane tls

dane tls

This domain has dane and tlsa since tls hashes for certificates dont change the records dont need adjusting.  Dnssec has an advantage as a cross check, and if you think out the ssl mafia box then dnssec might be a certification authority, or paid ssl is redundant making self signed tls a practicable option.

So you might be thinking that this is under the radar as it upsets many and there money making ability.

rageissuehomebrewWhen i switched the last domain i am reminded why i went diy to the right in the image my dns supplier was doing something odd on .com the red line points out the issue in dnsviz.  dnssec works but i thought i might do better and my attempt i got the all blue on the left..

oww bump bump bump down the stairs


So you take your choice, but a month in with dnssec i feel happy self hosting, and the .com went straight with the key changes, so the zoo is still dane valid.

Eventually with an .eu i get this


So it looks more balanced left and right, rather than left only, i resigned the zone and think that looks pretty good.

*Even paid google’s dns (not etc) does not seem to even offer sshfs or tlsa so no dane support there it seems.

One response

  1. Pingback: Opendkim with dnssec some numbers | Bananas in the Falklands

by golly but...

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s