So enabling DNSSEC was easier than I thought. All I had to do was transfer my domains to a new registrar! So i’m now registered with — the transfer process was painless, and luckily I wasn’t charged for the privilege. I think the most gruelling part was entering the IPS tag for my 10-year old domain, and having it disappear from the dashboard. The on-boarding process took ten minutes or less, but if felt like a lifetime.

In fairness, 123-reg have been mostly okay for the last 10 years. They never lost my domains or anything like that. Unfortunately they haven’t evolved much in that time either. They still don’t offer two factor authentication, which I dislike, but I’ve also previously tried and failed to get a DS record added by their support team. Gandi support both OTP and UTF devices, and there’s a simple form to enter the DS public key. Oh and no security questions and answers!

I have hosted my DNS with cloudflare for a few years now, and all I had to do was copy-paste the public key. Behold!

> dig +dnssec +multi

; <<>> DiG 9.10.3-P4-Debian <<>> +dnssec +multi
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28889
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

; EDNS: version: 0, flags: do; udp: 512
; IN A

;; ANSWER SECTION: 299 IN A 299 IN RRSIG A 13 3 300 (
20180203225447 20180201205447 35273
V53LT7G9K2LpYaWMjgQYwFrZYmBZG1wD5mB1Mgw+Dg== )

Now let’s see if I lose all my domains, and I rue the day I transferred them in the name of shiny signed DNS records 🙄

Michael is a Software Engineer working in the North West of England. Michael spends his days building hand-crafted PHP applications. Rumours of his super-hero status are currently unconfirmed. He savours his victories when solving difficult programming challenges; occasionally writing about them here, on his personal blog.