AFAICS your mission is to bring DNSsec into the field. At my side the missing motivation to bring DNSsec into the field is to find suitable Secondaries.
As you wrote, there must be lots. However I am apparently unable to just find a single one which suits my needs. Where are they? Where do they hide? Where can I find those who match my needs?
I am looking for over an hour now. But 0 results. Perhaps because none meets the most important criterion:
The CDN must be operated under and controlled by German law. Like yours!
So please, can you provide me a list with providers from Germany, who offers secondary Anycast DNS for 500+ Domains for a reasonable price? Not for domains. The domains are all registered and must not be transferred. All that should change is: The DNS.
Without Anycast I can continue to do it myself. But this might take a few years. So no DNSsec for now. Because there are more important things to do than to improve a DNS infrastructure which just works. But getting rid of 3 of my 4 NS would be something completely different. A very firm motivation to start migrating to DNSsec as fast as possible. Am I really the only one who sees it this way?
Also please think again due to following:
On this planet things get hacked. So if you ever get hacked - I do not hope this ever happens - then most of your zones might get compromized at the same time because the signing key (or option to create signatures with the HSM) falls into the hands of the attacker. A sneaky attack even only add some DNS records which are hidden to your API. Well, you do not offer warranty. However I am German. Therefor I know that you still are liable for things like Grobe Fahrlässigkeit as you cannot exclude that in Germany. And what this means is nothing you decide. This will be a court ruling.
A clever lawyer could say that you are responsible for the problem, as “not offering Secondaries” means, that you - willfully - endanger all those who could have used a Hidden Primary, as those with Hidden Primaries would not have been affected from a hack at your side. IANAL. But I would not take this risk. Really. OTOH if you have Hidden Primary support, your lawyer could argue, that those, who are affected by the hack, could have run a Hidden Primary, and as they did not, they are responsible for the damage themself.
Hence I would offer Hidden Primary support. Not via the general interface. But via contact to the service. So the people are a bit more motivated to do this only when donating …
Just my 2 cents.
PS: Please do not get me wrong:
Thank you very much for what you do! It is very inspiring. I am sure I can move a lot Domains to your service to improve their service (even that they are so unimportant, that they do not need this), perhaps I could even hand them over to the owner and get rid of some support. And I consider to do a recurring donation, because if your service manages to lower the effort at my side the saved costs can very well be yours. (But only after all the move is done and with 500+ domains. This may take years, depending on motivation.)
I am currently operating privately (I am no company) 4 Nameservers in 3 different zones, thanks to the lucky situation that I can host bind on most machines nearly for free thanks to friends (and the like). And no, I do not own all of those domains. All I do is providing DNS for all those domains for free to friends (and the like), such that they do not need to do it or worry about it. I do this for over 20 years now. Because I can. Because it does not cost me much more than the effort to install and run bind. Mostly, as I need DNS for myself anyway.
To be safe for the next 20+ years, I want to go IPv6+DNSsec+Hidden Master+Improved security. And as I am getting older best would be to get things more and more independent of me. Your service looks like a possible solution to that.
Also 2 of “my” machines are on IPv4-only sites (yes, it’s 2022 and some locations still do not offer IPv6 in a forseeable future).
Most importantly, I want to keep everything free. (Where free means: If somebody pays for it, this is me, nobody else. As I must pay this from my pocket, I need it to be as cost effective as possible for an as-long time as possible.) No, I do not offer my DNS to the general public. Just to friends, colleagues, ex-colleagues, companies, project etc. I happened to work with in the last 25+ years.
- I am German and therefor crucially need a provider from Germany. Germany only!
- Companies like CloudFlare or DynDNS are ruled out due to this
- But I am apparently unable to find a German CDN providing Secondary DNS with Multicast in all important regions of this planet.
- This is due to DSGVO and the ruling of EuGH that IP address are being considered privacy data in DE
- Hence in my reading this means, that DNS queries of German IPs must not cross the legislation border
- So they must not be answered by Servers not owned by a company which falls under German law
But all domains should be reachable from any computer as fast as possible, not only from close Germany. Hence Anycast would be a nice to have. But DSGVO wins over Anycast. And (my) lazieness (if I am not motivated due to missing Anycast) wins over DNSsec. Checkmate