Dnssec awareness brings a a new level to dns hosting, some cannot do stats but others can, or dont offer tlsa or sshp records including google*. Another dns supplier problem is support for large dkim keys (my blog). I found a good dns supplier but having stats for the first time, and being able to have 4096 signed messages i decided to go the homebrew route and host it myself after a month.
Dnssec does not exist in the real world – wordpress (here) does not have it, although it is a question of non support, or an unwillingness to set it up
I liked my paid supplier but it seems i could do it myself and dnssec signing as well at no cost, so i switched some domains to my local bind server. After a few moments with dns syntax one went across and appears to work, and then an hour later another went across, I did not have dnssec yet but i appear to be able to generate keys with haveged (my blog) .
That still leaves the others on paid dns hosting to migrate, but i have fail2ban (my blog) on the case for security, and a mallet (my blog) It all goes well i switch on dnssec and see if it works like it does on paid hosting within a week, then in a few days those other zones might come home.
Moving .eu domains is a breeze provided you dont make a name typo, a mistake i did on the second domain, the first went with no user issues then the second i learnt a lot from. In bind and webmin (my blog) zones and zonesigning are put into /var/lib/bind on debian (my blog) and since i now know the number of queries i am quite happy to do it myself. I also happy using vi so its not all gui. Grepping is important since webmin is a bit temperamental.
The keys into the registry is something i covered here (my blog) so in one day i had three domains migrated, two working, and one with dnssec issues.
Dnssec is not flawless at key migrations and so you will loose the green bar or at least that’s a real world experience for me the dnssec newbie. Maybe theres a way to do that with zones reloading per minute but eventually a paid zone switched from no dnssec or invalid to the new green and working dnssec.
I had issues with .com dnssec keys which i again I was doing something wrong until i started afresh the next day and got to work It would be nice if the dsset file was used by webmin rather than the keys.
I have learnt a lot more doing it all rather than farming it out. And since i had to fix it as they where my errors made for a interesting time.
I see why bind is not liked, but for all its issues is accomplished at what it does.
My last paid zone i recreated and checked and i will switching it within a couple of days since nobody notices dnssec except me i expect little trouble.
This domain has dane and tlsa since tls hashes for certificates dont change the records dont need adjusting. Dnssec has an advantage as a cross check, and if you think out the ssl mafia box then dnssec might be a certification authority, or paid ssl is redundant making self signed tls a practicable option.
So you might be thinking that this is under the radar as it upsets many and there money making ability.
When i switched the last domain i am reminded why i went diy to the right in the image my dns supplier was doing something odd on .com the red line points out the issue in dnsviz. dnssec works but i thought i might do better and my attempt i got the all blue on the left..
So you take your choice, but a month in with dnssec i feel happy self hosting, and the .com went straight with the key changes, so the zoo is still dane valid.
Eventually with an .eu i get this
So it looks more balanced left and right, rather than left only, i resigned the zone and think that looks pretty good.
*Even paid google’s dns (not 22.214.171.124 etc) does not seem to even offer sshfs or tlsa so no dane support there it seems.