<![CDATA[DNS providers offering DNSSEC (Swarm intelligence (and help) needed)]]>The german BSI declares 2025 as the Year for Email Security.

Most issues are resolved directly through the Cloudron platform. However, to fulfil all requirements, we need the support of our DNS service provider, as we rely on the service provider instead of operating our own DNS infrastructure.

SPF / DKIM / DMARC – DNSSEC / DANE / TLS are the topics that the BSI deals with.

Please help me find DNS service providers that offer DNSSEC to its customers.

This is the result of my brief research:

  • route53 (todo: research offer)
  • Namecheap (in their pro product)
  • Cloudflare (todo: research offer)
  • Gandi (seems to be supported only if the domain is managed directly by Gandi)
  • google cloud dns (todo: research offer)

I am interested in the offers. Is it possible to use only the DNS (e.g., as with DigitalOcean or Hetzner), or does the domain have to be transferred to the service provider's infrastructure? Is the service free or paid? Is it part of the DNS services supported by Cloudron or independent of them?

The next step for me is to understand DANE. Maybe someone can help me with this topic too. 🙂

]]>https://forum.cloudron.io/topic/14166/dns-providers-offering-dnssec-swarm-intelligence-and-help-neededRSS for NodeMon, 18 May 2026 09:41:24 GMTTue, 05 Aug 2025 21:47:24 GMT60<![CDATA[Reply to DNS providers offering DNSSEC (Swarm intelligence (and help) needed) on Wed, 06 Aug 2025 19:43:01 GMT]]>I moved from Cloudflare to Infomaniak (registrar) + Bunny NET (DNS).
DNSSEC works well.

]]>https://forum.cloudron.io/post/111337https://forum.cloudron.io/post/111337Wed, 06 Aug 2025 19:43:01 GMT<![CDATA[Reply to DNS providers offering DNSSEC (Swarm intelligence (and help) needed) on Wed, 06 Aug 2025 12:59:34 GMT]]>Desec is great but we hit issues when doing a restore onto a new IP address - we were locked out of desec.io due to rate limiting

We had a chat with the support and they suggested that cloudron could consider using their batch api to reduce the number of requests

But as we need to be able to recover without being locked out (out of hours) we switched to hetzner DNS instead.

TLDR; desec.io are great, the support is very good, however their rate limiting is somewhat aggressive and may catch you out in a bind.

]]>https://forum.cloudron.io/post/111319https://forum.cloudron.io/post/111319Wed, 06 Aug 2025 12:59:34 GMT<![CDATA[Reply to DNS providers offering DNSSEC (Swarm intelligence (and help) needed) on Wed, 06 Aug 2025 07:26:08 GMT]]>Cloudflare

@luckow said in DNS providers offering DNSSEC (Swarm intelligence (and help) needed):

Cloudflare (todo: research offer)(todo: research offer)

Sine I am using Cloudflare for my private domains I can share some insights.
Cloudflare even suggests on domain setup to enable and setup DNSSEC and it costs nothing.

dig hackradt.com +dnssec +short
104.21.16.1
104.21.32.1
104.21.48.1
104.21.64.1
104.21.80.1
104.21.96.1
104.21.112.1
A 13 2 300 20250807081922 20250805061922 34505 hackradt.com. 15sxpjxH76bZmTRkYJdGr9vI9htfQjOVD0T303Q4BHI7UJbWUG4gK/IX UbLXyb4Tf30gJ/TaF8Q2T3DWYunuDQ==

dig DNSKEY hackradt.com +short
256 3 13 oJMRESz5E4gYzS/q6XDrvU1qMPYIjCWzJaOau8XNEZeqCYKD5ar0IRd8 KqXXFJkqmVfRvMGPmM1x8fGAa2XhSA==
257 3 13 mdsswUyr3DPW132mOi8V9xESWE8jTo0dxCjjnopKl+GqJxpVXckHAeF+ KkxLbxILfDLUT0rAK9iUzy1L53eKGQ==

and a trace

dig DS hackradt.com +trace @1.1.1.1

; <<>> DiG 9.18.30-0ubuntu0.24.04.2-Ubuntu <<>> DS hackradt.com +trace @1.1.1.1
;; global options: +cmd
.                       517372  IN      NS      a.root-servers.net.
.                       517372  IN      NS      b.root-servers.net.
.                       517372  IN      NS      c.root-servers.net.
.                       517372  IN      NS      d.root-servers.net.
.                       517372  IN      NS      e.root-servers.net.
.                       517372  IN      NS      f.root-servers.net.
.                       517372  IN      NS      g.root-servers.net.
.                       517372  IN      NS      h.root-servers.net.
.                       517372  IN      NS      i.root-servers.net.
.                       517372  IN      NS      j.root-servers.net.
.                       517372  IN      NS      k.root-servers.net.
.                       517372  IN      NS      l.root-servers.net.
.                       517372  IN      NS      m.root-servers.net.
.                       517372  IN      RRSIG   NS 8 0 518400 20250819050000 20250806040000 46441 . jg9OLaEPRK9kCUHATy6mZXCba7eWr7cffsKnXOm+zKYyQf6QboUDiE69 veSbgvEpN/6wb9NxKcwTGN0phcpmH2ikVAC/9oNVAsOQ0h0li/AhC0sB jAZ+tfbk+Uah1M+8o5OSmHwXz48Iz3Kn4yisXMZ63ie6ZuON68WVfRDk p8VZ0QlG11wYIXiJ9/bbA1m6QYI5Ynl7pTfJQow1QRlreiHybh8hL0gZ USE12sdGoH1pZdUJ2WYPvHIof5ymKgbJDcz97PKy38M/phDHq13WqU3j s+3HY0YV8vpiPeyliwCzP1gywWwQfyfT1Mg4X4+DjjMf6JOWZwPvYXmy iTdrSQ==
;; Received 525 bytes from 1.1.1.1#53(1.1.1.1) in 11 ms

com.                    172800  IN      NS      b.gtld-servers.net.
com.                    172800  IN      NS      c.gtld-servers.net.
com.                    172800  IN      NS      g.gtld-servers.net.
com.                    172800  IN      NS      i.gtld-servers.net.
com.                    172800  IN      NS      l.gtld-servers.net.
com.                    172800  IN      NS      k.gtld-servers.net.
com.                    172800  IN      NS      h.gtld-servers.net.
com.                    172800  IN      NS      d.gtld-servers.net.
com.                    172800  IN      NS      a.gtld-servers.net.
com.                    172800  IN      NS      f.gtld-servers.net.
com.                    172800  IN      NS      e.gtld-servers.net.
com.                    172800  IN      NS      m.gtld-servers.net.
com.                    172800  IN      NS      j.gtld-servers.net.
com.                    86400   IN      DS      19718 13 2 8ACBB0CD28F41250A80A491389424D341522D946B0DA0C0291F2D3D7 71D7805A
com.                    86400   IN      RRSIG   DS 8 1 86400 20250819050000 20250806040000 46441 . JPvqL4brDkchFLnaQfHaaeTvLQL/zWvdmHI58oh5VgPV9UMIsjjvGfJ0 fWobwOd1eCAlVhsPFNHdGb5r82tJWj4tU41VMsXG4QVsBqpOgd4H9jcx OVWndh0xPbDGzQtcF7TuItUw1s3AxOGV34WzVLvjICdTfxyiHygVstDb 0VRYISSzxMJ/HDrqFva/5+b1yAqszWFgG92PlH71ww8ARIJhfPl2Kbi4 nY5zIHGcl5xqne/febdD7O8IvfL5B5baAY/ca+HgYp/nBgROD4rRslkn 7KCQdKUC65E27v5ZA60/l4ZqsBTx7Jbh8446umZSCiWs44b0iX4ez9d0 zgoPig==
;; Received 1200 bytes from 192.36.148.17#53(i.root-servers.net) in 14 ms

hackradt.com.           86400   IN      DS      2371 13 2 A186B81B9089ECB57752A20B7B6F70A54B9A7EC7722DB1A75C34EA33 F810E098
hackradt.com.           86400   IN      RRSIG   DS 13 2 86400 20250813022949 20250806011949 20545 com. IGGaC5MlqxDYc/Lz9D1GpMtTJF1apUu/HcYp1LK747msVxvXnyadooEw 9K42ELwb0ESD5QpdhetYN+nQkGy6sw==
com.                    172800  IN      NS      m.gtld-servers.net.
com.                    172800  IN      NS      g.gtld-servers.net.
com.                    172800  IN      NS      c.gtld-servers.net.
com.                    172800  IN      NS      i.gtld-servers.net.
com.                    172800  IN      NS      b.gtld-servers.net.
com.                    172800  IN      NS      k.gtld-servers.net.
com.                    172800  IN      NS      e.gtld-servers.net.
com.                    172800  IN      NS      j.gtld-servers.net.
com.                    172800  IN      NS      d.gtld-servers.net.
com.                    172800  IN      NS      f.gtld-servers.net.
com.                    172800  IN      NS      l.gtld-servers.net.
com.                    172800  IN      NS      a.gtld-servers.net.
com.                    172800  IN      NS      h.gtld-servers.net.
com.                    172800  IN      RRSIG   NS 13 1 172800 20250812002506 20250804231506 20545 com. c46CDTFjI2WMA5mRS+9duzqkVSh/ewmXqa5cGOCI/Y/8BbCulughdCFU vQOAyqicgA+3pAr4TVncozHUfwRc3w==
;; Received 1083 bytes from 192.33.14.30#53(b.gtld-servers.net) in 25 ms

This can also be viewed in a flow chart with https://dnsviz.net/d/hackradt.com/dnssec/

2db52277-6841-461d-9bdf-13009160c5c4-hackradt.com-2025-08-06-07_23_37-UTC.png

]]>https://forum.cloudron.io/post/111311https://forum.cloudron.io/post/111311Wed, 06 Aug 2025 07:26:08 GMT<![CDATA[Reply to DNS providers offering DNSSEC (Swarm intelligence (and help) needed) on Wed, 06 Aug 2025 04:57:06 GMT]]>@jdaviescoates You're welcome. It's been in the domain provider dropdown since last year (2024).

]]>https://forum.cloudron.io/post/111305https://forum.cloudron.io/post/111305Wed, 06 Aug 2025 04:57:06 GMT<![CDATA[Reply to DNS providers offering DNSSEC (Swarm intelligence (and help) needed) on Wed, 06 Aug 2025 04:40:00 GMT]]>@robi sounds great, thanks for sharing.

]]>https://forum.cloudron.io/post/111302https://forum.cloudron.io/post/111302Wed, 06 Aug 2025 04:40:00 GMT<![CDATA[Reply to DNS providers offering DNSSEC (Swarm intelligence (and help) needed) on Tue, 05 Aug 2025 23:07:38 GMT]]>Then it's good to take a look at the OSS https://deSEC.io

DNSSEC

DNS information hosted at deSEC is signed with DNSSEC, always. We use state-of-the-art elliptic-curve cryptography. Besides following operational best practice, we adopt cutting-edge developments.

Cloud Integration

Thanks to cloud integrations and language bindings, deSEC works out of the box in automated environments. Examples include Terraform providers and Go, Python, and JavaScript bindings.

Modern Record Types

We support a broad array of record types, including novel types such as HTTPS/SVCB (for CNAME-like behavior at the apex), CDNSKEY/CDS (RFC 8078, RFC 8901), or OPENPGPKEY, SMIMEA, and TLSA.

Web Interface

We think we have the coolest GUI on the market. Thanks to real-time record validation and parsing, it is very intuitive and fast to use (even on mobile devices). Get started by importing your domain.

REST API

Exert full control over your DNS via our modern API and benefit from advanced features such as bulk operations. It is well-documented and easily integrates into your scripts, tools, or CI/CD pipeline.

Multi-Factor Auth (2FA)

Accidentally shared your password with someone? Enable MFA to keep your account safe. We currently support TOTP tokens (Authenticator app), with WebAuthn in the making.

Scalability

Are you a web hoster? Start using deSEC, even with thousands of domains. Our global network ensures high availability and performance everywhere. Talk to us about your use case.

IPv6

deSEC is fully IPv6-aware: administration can be done using v6, AAAA-records containing IPv6 addresses can be set up, our name servers are reachable via IPv6.

Fast Updates

Updates to your DNS information will be published world-wide within a few seconds. Minimum required TTLs are low.

DANE / TLSA

Secure your web service with TLSA records, hardening it against fraudulently issued SSL certificates. You can also use other DANE techniques, such as OPENPGPKEY key exchange.

Let's Encrypt Integration

We provide easy integration with Let's Encrypt and their certbot tool. Further integration with other tools like acme.sh, lego, and Terraform is available.

Low-latency Anycast

We run global networks of high-performance frontend DNS servers. Your query is routed to the closest server via Anycast, so clients receive answers as fast as possible.

Open Source

deSEC runs 100% on free and open-source software. Start hacking away!

Non-profit

deSEC is organized as a non-profit organization based in Berlin. We make sure that privacy is not compromised by business interest.

]]>https://forum.cloudron.io/post/111297https://forum.cloudron.io/post/111297Tue, 05 Aug 2025 23:07:38 GMT