DNS Secondary support

Hi deSEC Team,

are there any plans to support DNS Slave Zone on your service with DNS Master on my own server?

Best Regards,

Patrick

1 Like

Dear Patrick,

we would like to offer an API endpoint that accepts AXFR data, primarily to ease domain migration. This could be used to effectively have your own DNS Master server. It’s very unlikely that we will accept NOTIFY packets and poll for AXFR, as this comes with a vast complication of authentication of received data.

As deSEC’s main purpose is to spread the use of DNSSEC, we probably won’t offer our distribution network to zones that are already using DNSSEC. (Unless you can make a good case how this serves our purpose.)

Best,
Nils

If a domain owner doesn’t want to use third party DNSSEC keys it makes sense to run an own signing hidden primary nameserver. Individuals will have problems to find affordable anycast secondary nameservers for this purpose.

What’s the state of importing complete zones?
Will this work with NSEC3-protected zones if the domain owner has no access to the AXFR configuration of his current nameservers?

Dear renne,

thanks for joining deSEC, and welcome! We had a couple users asking for this feature, and are reluctant to implement it. There are two reasons for this:

  1. technical reasons: our infrastructure currently doesn’t provide the data structures that would be required to not sign zones on our side, but just import them. However, we’re working on having more liberty when it comes to signing zones, and to separate the tasks of deployment and signing better in our backend.
  2. political reasons: deSEC is devoted to spreading DNSSEC, not to providing free anycast. That’s why we didn’t consider offering the service that you are asking when we first started. However, monodhs had a couple good arguments as to why we should support it. However, no final decision has been made on our end yet. You’re welcome to join the discussion there, we are interested in your use-case!

Best,
Nils

1 Like