OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: DANE and DLV

From: John Allen (johnklam.ca)
Date: Wed Jan 07 2015 - 19:58:27 CST


On 07/01/2015 3:02 PM, Viktor Dukhovni wrote:
> On Wed, Jan 07, 2015 at 02:44:11PM -0500, James B. Byrne wrote:
>
>> This is exactly our situation. We presently use DLV. I can get our
>> upstream registrar to manually add DS RRs for our .com, .net; and I
>> believe our .org tlds. But they will not do so for our principal tlds
>> that belong to .ca.
> Paul Wouters has a perfectly good DNSSEC .ca domain:
>
> nohats.ca. IN MX 10 mx.nohats.ca. ; NOERROR AD=1
> _25._tcp.mx.nohats.ca. IN TLSA 3 1 1 462573195c86e861abab8eccfbc7f0486958efdff9449ac10729b3a0f906f388 ; passed
>
> Domain name: nohats.ca
> Domain status: registered
> Creation date: 2011/11/28
> Expiry date: 2015/11/28
> Updated date: 2014/10/30
> DNSSEC: Signed
>
> Registrar:
> Name: Tucows.com Co.
>
>> Nonetheless, as we have many domains registered
>> with them, and have been using them since 2000 March 26, we are
>> reluctant to change providers.
>>
>> CIRA's answer is to change registrars. That is the easy out, for them.
>> The difficulty being the administrative and financial costs of doing
>> so for us.
>>
>> So, we await developments and in the meantime employ DLV.
I had the same problem, my domain klam.ca (the family site which I use
for experimenting) was registered with Tucows who could not, would not
provide DNSSEC support for .ca. I switched to Gandi for all my domains
the cost was reasonable and the provide a usable DNSSEC update console.
> The "value" of DLV is rather limited, I personally would not bother.
> If you actually want DNSSEC, switch registrars. Otherwise, wait for
> yours to get on-board.
>
> Anyway, this is somewhat off-topic for Postfix, so we should delve
> into too deeply.
>