On Fri, Feb 24, 2012 at 8:19 AM, <[email protected]> wrote: > Bill Owens <[email protected]> wrote on 02/24/2012 11:02:50 AM: > >> I haven't heard of NS supporting DNSSEC, and there haven't been any >> good resources to find a registrar who *does*, but this popped up > recently: >> >> http://www.icann.org/en/topics/dnssec/deploy-en.htm >> >> . . . and NS isn't on that list. FWIW, DynDNS does a fine job >> (that's who we've chosen), GoDaddy works okay too (though I think >> there are many other reasons to avoid using them) and I've heard >> good things about GKG. > > Our domains are mostly registered through Network Solutions. I've little > experience with the others you mention, other than GoDaddy screwing up > domains years ago by changing the domain's name servers to point to theirs > instead of the ones we operate for our school district customers. > > The Public Interest Registry who runs .ORG has a list of registrars that > support DNSSEC at > http://www.pir.org/get/registrars?order=field_dnssec_value&sort=desc but > they helpfully note "This does not indicate whether the registrar has > enabled a DNSSEC service for the registrants. Please contact the > registrars directly for their DNSSEC service." Apparently, NS falls into > this category. > > Given that they were the original (and for a long time ONLY) registrar, > you would think they would be an industry leader. I'm drawing a different > conclusion. > > > > > > Confidentiality Notice: > This electronic message and any attachments may contain confidential or > privileged information, and is intended only for the individual or entity > identified above as the addressee. If you are not the addressee (or the > employee or agent responsible to deliver it to the addressee), or if this > message has been addressed to you in error, you are hereby notified that > you may not copy, forward, disclose or use any part of this message or any > attachments. Please notify the sender immediately by return e-mail or > telephone and delete this message from your system.
We have several signed domains with NS including our main 'es.net', but there was no easy way to get this done. We were fortunate to be able to contact engineers at NS who worked with us to get our DS records installed, all as a manual process. From the confusion caused by having two DS records for each domain (with different hash types), it is clear that they really were pretty clueless at that time (about a year ago). It took only a few days for .net and .com entries. .org took weeks due to NS not being familiar with the mechanisms needed to enter DS records there. I suspect that the .com and .net entries were done manually as .com and .net had just started accepting DS records at that time. .org had been handling them for a while and had procedures for handling these in place and, ironically, that is what complicated things. On my semi-retirement, I passed support for our DNS on to other, very capable hands who are very knowledgeable on DNSSEC, but I suspect that a KSK roll will prove 'interesting'. -- R. Kevin Oberman, Network Engineer E-mail: [email protected] _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users

