Technically Feasible

… and we're DNSSEC signed too 👏

Likeness of Michael Oldroyd
Michael Oldroyd
⚠️ This content was imported from a previous incarnation of this blog, and may contain formatting errors

So enabling DNSSEC was easier than I thought. All I had to do was transfer my domains to a new registrar! So i'm now registered with — the transfer process was painless, and luckily I wasn't charged for the privilege. I think the most gruelling part was entering the IPS tag for my 10-year old domain, and having it disappear from the dashboard. The on-boarding process took ten minutes or less, but if felt like a lifetime.

In fairness, 123-reg have been mostly okay for the last 10 years. They never lost my domains or anything like that. Unfortunately they haven't evolved much in that time either. They still don't offer two factor authentication, which I dislike, but I've also previously tried and failed to get a DS record added by their support team. Gandi support both OTP and UTF devices, and there's a simple form to enter the DS public key. Oh and no security questions and answers!

I have hosted my DNS with cloudflare for a few years now, and all I had to do was copy-paste the public key. Behold!

> dig +dnssec +multi

; <<>> DiG 9.10.3-P4-Debian <<>> +dnssec +multi
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28889
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

; EDNS: version: 0, flags: do; udp: 512
; IN A

;; ANSWER SECTION: 299 IN A 299 IN RRSIG A 13 3 300 (
20180203225447 20180201205447 35273
V53LT7G9K2LpYaWMjgQYwFrZYmBZG1wD5mB1Mgw+Dg== )

Now let's see if I lose all my domains, and I rue the day I transferred them in the name of shiny signed DNS records 🙄

Image of me

Michael Oldroyd

Michael is a Software Engineer working in the North West of England.