Hello again,
Can I add/upgrade DNSSEC to a domain registrar that does not support DNSSEC using deSEC?
Is DNSSEC support from the domain registrar a prerequisite for using deSEC?
It is not possible to use DNSSEC without DNSSEC support from both the registrar of the domain and the registry of the delegating domain.
Note that §4 of the terms of service includes:
Domains created at deSEC which do not include deSEC’s nameservers in their set of authoritative nameservers (“NS records”) or which fail to establish a DNSSEC chain of trust may receive a deletion warning and may be deleted four weeks thereafter if that condition still applies.
It has previously been stated though that you can use deSEC without DNSSEC if the delegating domain registry doesn’t support it, but you are urged to find another registrar for your domain if the delegating domain supports DNSSEC and the registrar of your domain does not. The mission of deSEC is to help and improve the availability and use of DNSSEC.
3 Likes
Can I add/upgrade DNSSEC to a domain registrar that does not support DNSSEC using deSEC?
Is DNSSEC support from the domain registrar a prerequisite for using deSEC?
It depend on what you mean by DNSSEC support.
It your registrar does not support DNSSEC on their own name servers, that is not necessarily a problem. Your registrar only needs to support delegating NS records to deSEC (obviously) and setting the DNSSEC glue (DS records) on the parent domain. If they have an input field for your DS or DNSKEY data, then you’re probably good to go.
Even if you registrar does not support it: Things may still work if the top level domain support automatic provisioning via CDS/CDNSKEY records. If your TLD does, things will mostly just work. However, this mechanism is not widely adopted. .ch is the only TLD I know of with support for it.
2 Likes
In some places, one has to open a support ticket …
There are a few more; a list can be found at GitHub - oskar456/cds-updates: Info about CDS update support.
Stay secure,
Peter
3 Likes
Yes, this is exactly what I was looking for!
Then I can also recommend deSEC to friends and family who use a domain registrar that doesn’t support DNSSEC by default on the provider’s nameservers.
Thanks to everyone for the great help.
For reference: Registry, Registrar, DNS hoster
A hosting provider who sells domain names usually also offers DNS hosting and can be but does not have to be a registrar. The registrar acts as an accredited interface to the registry. Some hosting providers are not themselves registrars but use the service of one.
If the registrar does not support DNSSEC at all and the registry is not one of the few that can get the necessary information from records in the delegated zone, there is no way to get the cryptographic information into the delegating zone.
If the hosting provider is also the DNS hoster but doesn’t support DNSSEC in their own DNS hosting, they (as a registrar or through their registrar) may still be able to get the necessary records into the registry so that a different DNS hoster like deSEC can be used with DNSSEC.
1 Like
In fact, registrars for generic TLDs (i.e., not the 2-letter country codes, but for all others) are contractually obliged to offer DS record provisioning, some way or another:
Registrar must allow its customers to use DNSSEC upon request by relaying orders to add, remove or change public key material (e.g., DNSKEY or DS resource records) on behalf of customers to the Registries that support DNSSEC. Such requests shall be accepted and processed in a secure manner and according to industry best practices.
(Source: ICANN Registrar Accreditation Agreement (RAA), Section 8.1 “ADDITIONAL REGISTRAR OPERATION SPECIFICATION”)
Some registrars don’t, which is a contract violation. If this happens to you, you can file a complaint with ICANN.
Stay secure,
Peter
1 Like