DNS providers offering DNSSEC (Swarm intelligence (and help) needed)
-
The german BSI declares 2025 as the Year for Email Security.
Most issues are resolved directly through the Cloudron platform. However, to fulfil all requirements, we need the support of our DNS service provider, as we rely on the service provider instead of operating our own DNS infrastructure.
SPF / DKIM / DMARC – DNSSEC / DANE / TLS are the topics that the BSI deals with.
Please help me find DNS service providers that offer DNSSEC to its customers.
This is the result of my brief research:
- route53 (todo: research offer)
- Namecheap (in their pro product)
- Cloudflare (
todo: research offer) - Gandi (seems to be supported only if the domain is managed directly by Gandi)
- google cloud dns (todo: research offer)
I am interested in the offers. Is it possible to use only the DNS (e.g., as with DigitalOcean or Hetzner), or does the domain have to be transferred to the service provider's infrastructure? Is the service free or paid? Is it part of the DNS services supported by Cloudron or independent of them?
The next step for me is to understand DANE. Maybe someone can help me with this topic too.
-
Then it's good to take a look at the OSS https://deSEC.io
DNSSEC
DNS information hosted at deSEC is signed with DNSSEC, always. We use state-of-the-art elliptic-curve cryptography. Besides following operational best practice, we adopt cutting-edge developments.
Cloud Integration
Thanks to cloud integrations and language bindings, deSEC works out of the box in automated environments. Examples include Terraform providers and Go, Python, and JavaScript bindings.
Modern Record Types
We support a broad array of record types, including novel types such as
HTTPS/SVCB(forCNAME-like behavior at the apex),CDNSKEY/CDS(RFC 8078, RFC 8901), orOPENPGPKEY,SMIMEA, andTLSA.Web Interface
We think we have the coolest GUI on the market. Thanks to real-time record validation and parsing, it is very intuitive and fast to use (even on mobile devices). Get started by importing your domain.
REST API
Exert full control over your DNS via our modern API and benefit from advanced features such as bulk operations. It is well-documented and easily integrates into your scripts, tools, or CI/CD pipeline.
Multi-Factor Auth (2FA)
Accidentally shared your password with someone? Enable MFA to keep your account safe. We currently support TOTP tokens (Authenticator app), with WebAuthn in the making.
Scalability
Are you a web hoster? Start using deSEC, even with thousands of domains. Our global network ensures high availability and performance everywhere. Talk to us about your use case.
IPv6
deSEC is fully IPv6-aware: administration can be done using v6, AAAA-records containing IPv6 addresses can be set up, our name servers are reachable via IPv6.
Fast Updates
Updates to your DNS information will be published world-wide within a few seconds. Minimum required TTLs are low.
DANE / TLSA
Secure your web service with
TLSArecords, hardening it against fraudulently issued SSL certificates. You can also use other DANE techniques, such asOPENPGPKEYkey exchange.Let's Encrypt Integration
We provide easy integration with Let's Encrypt and their certbot tool. Further integration with other tools like acme.sh, lego, and Terraform is available.
Low-latency Anycast
We run global networks of high-performance frontend DNS servers. Your query is routed to the closest server via Anycast, so clients receive answers as fast as possible.
Open Source
deSEC runs 100% on free and open-source software. Start hacking away!
Non-profit
deSEC is organized as a non-profit organization based in Berlin. We make sure that privacy is not compromised by business interest.
-
Then it's good to take a look at the OSS https://deSEC.io
DNSSEC
DNS information hosted at deSEC is signed with DNSSEC, always. We use state-of-the-art elliptic-curve cryptography. Besides following operational best practice, we adopt cutting-edge developments.
Cloud Integration
Thanks to cloud integrations and language bindings, deSEC works out of the box in automated environments. Examples include Terraform providers and Go, Python, and JavaScript bindings.
Modern Record Types
We support a broad array of record types, including novel types such as
HTTPS/SVCB(forCNAME-like behavior at the apex),CDNSKEY/CDS(RFC 8078, RFC 8901), orOPENPGPKEY,SMIMEA, andTLSA.Web Interface
We think we have the coolest GUI on the market. Thanks to real-time record validation and parsing, it is very intuitive and fast to use (even on mobile devices). Get started by importing your domain.
REST API
Exert full control over your DNS via our modern API and benefit from advanced features such as bulk operations. It is well-documented and easily integrates into your scripts, tools, or CI/CD pipeline.
Multi-Factor Auth (2FA)
Accidentally shared your password with someone? Enable MFA to keep your account safe. We currently support TOTP tokens (Authenticator app), with WebAuthn in the making.
Scalability
Are you a web hoster? Start using deSEC, even with thousands of domains. Our global network ensures high availability and performance everywhere. Talk to us about your use case.
IPv6
deSEC is fully IPv6-aware: administration can be done using v6, AAAA-records containing IPv6 addresses can be set up, our name servers are reachable via IPv6.
Fast Updates
Updates to your DNS information will be published world-wide within a few seconds. Minimum required TTLs are low.
DANE / TLSA
Secure your web service with
TLSArecords, hardening it against fraudulently issued SSL certificates. You can also use other DANE techniques, such asOPENPGPKEYkey exchange.Let's Encrypt Integration
We provide easy integration with Let's Encrypt and their certbot tool. Further integration with other tools like acme.sh, lego, and Terraform is available.
Low-latency Anycast
We run global networks of high-performance frontend DNS servers. Your query is routed to the closest server via Anycast, so clients receive answers as fast as possible.
Open Source
deSEC runs 100% on free and open-source software. Start hacking away!
Non-profit
deSEC is organized as a non-profit organization based in Berlin. We make sure that privacy is not compromised by business interest.
-
@robi sounds great, thanks for sharing.
@jdaviescoates You're welcome. It's been in the domain provider dropdown since last year (2024).
-
The german BSI declares 2025 as the Year for Email Security.
Most issues are resolved directly through the Cloudron platform. However, to fulfil all requirements, we need the support of our DNS service provider, as we rely on the service provider instead of operating our own DNS infrastructure.
SPF / DKIM / DMARC – DNSSEC / DANE / TLS are the topics that the BSI deals with.
Please help me find DNS service providers that offer DNSSEC to its customers.
This is the result of my brief research:
- route53 (todo: research offer)
- Namecheap (in their pro product)
- Cloudflare (
todo: research offer) - Gandi (seems to be supported only if the domain is managed directly by Gandi)
- google cloud dns (todo: research offer)
I am interested in the offers. Is it possible to use only the DNS (e.g., as with DigitalOcean or Hetzner), or does the domain have to be transferred to the service provider's infrastructure? Is the service free or paid? Is it part of the DNS services supported by Cloudron or independent of them?
The next step for me is to understand DANE. Maybe someone can help me with this topic too.
Cloudflare
@luckow said in DNS providers offering DNSSEC (Swarm intelligence (and help) needed):
Cloudflare (todo: research offer)(todo: research offer)
Sine I am using Cloudflare for my private domains I can share some insights.
Cloudflare even suggests on domain setup to enable and setup DNSSEC and it costs nothing.dig hackradt.com +dnssec +short 104.21.16.1 104.21.32.1 104.21.48.1 104.21.64.1 104.21.80.1 104.21.96.1 104.21.112.1 A 13 2 300 20250807081922 20250805061922 34505 hackradt.com. 15sxpjxH76bZmTRkYJdGr9vI9htfQjOVD0T303Q4BHI7UJbWUG4gK/IX UbLXyb4Tf30gJ/TaF8Q2T3DWYunuDQ==dig DNSKEY hackradt.com +short 256 3 13 oJMRESz5E4gYzS/q6XDrvU1qMPYIjCWzJaOau8XNEZeqCYKD5ar0IRd8 KqXXFJkqmVfRvMGPmM1x8fGAa2XhSA== 257 3 13 mdsswUyr3DPW132mOi8V9xESWE8jTo0dxCjjnopKl+GqJxpVXckHAeF+ KkxLbxILfDLUT0rAK9iUzy1L53eKGQ==and a trace
dig DS hackradt.com +trace @1.1.1.1 ; <<>> DiG 9.18.30-0ubuntu0.24.04.2-Ubuntu <<>> DS hackradt.com +trace @1.1.1.1 ;; global options: +cmd . 517372 IN NS a.root-servers.net. . 517372 IN NS b.root-servers.net. . 517372 IN NS c.root-servers.net. . 517372 IN NS d.root-servers.net. . 517372 IN NS e.root-servers.net. . 517372 IN NS f.root-servers.net. . 517372 IN NS g.root-servers.net. . 517372 IN NS h.root-servers.net. . 517372 IN NS i.root-servers.net. . 517372 IN NS j.root-servers.net. . 517372 IN NS k.root-servers.net. . 517372 IN NS l.root-servers.net. . 517372 IN NS m.root-servers.net. . 517372 IN RRSIG NS 8 0 518400 20250819050000 20250806040000 46441 . jg9OLaEPRK9kCUHATy6mZXCba7eWr7cffsKnXOm+zKYyQf6QboUDiE69 veSbgvEpN/6wb9NxKcwTGN0phcpmH2ikVAC/9oNVAsOQ0h0li/AhC0sB jAZ+tfbk+Uah1M+8o5OSmHwXz48Iz3Kn4yisXMZ63ie6ZuON68WVfRDk p8VZ0QlG11wYIXiJ9/bbA1m6QYI5Ynl7pTfJQow1QRlreiHybh8hL0gZ USE12sdGoH1pZdUJ2WYPvHIof5ymKgbJDcz97PKy38M/phDHq13WqU3j s+3HY0YV8vpiPeyliwCzP1gywWwQfyfT1Mg4X4+DjjMf6JOWZwPvYXmy iTdrSQ== ;; Received 525 bytes from 1.1.1.1#53(1.1.1.1) in 11 ms com. 172800 IN NS b.gtld-servers.net. com. 172800 IN NS c.gtld-servers.net. com. 172800 IN NS g.gtld-servers.net. com. 172800 IN NS i.gtld-servers.net. com. 172800 IN NS l.gtld-servers.net. com. 172800 IN NS k.gtld-servers.net. com. 172800 IN NS h.gtld-servers.net. com. 172800 IN NS d.gtld-servers.net. com. 172800 IN NS a.gtld-servers.net. com. 172800 IN NS f.gtld-servers.net. com. 172800 IN NS e.gtld-servers.net. com. 172800 IN NS m.gtld-servers.net. com. 172800 IN NS j.gtld-servers.net. com. 86400 IN DS 19718 13 2 8ACBB0CD28F41250A80A491389424D341522D946B0DA0C0291F2D3D7 71D7805A com. 86400 IN RRSIG DS 8 1 86400 20250819050000 20250806040000 46441 . JPvqL4brDkchFLnaQfHaaeTvLQL/zWvdmHI58oh5VgPV9UMIsjjvGfJ0 fWobwOd1eCAlVhsPFNHdGb5r82tJWj4tU41VMsXG4QVsBqpOgd4H9jcx OVWndh0xPbDGzQtcF7TuItUw1s3AxOGV34WzVLvjICdTfxyiHygVstDb 0VRYISSzxMJ/HDrqFva/5+b1yAqszWFgG92PlH71ww8ARIJhfPl2Kbi4 nY5zIHGcl5xqne/febdD7O8IvfL5B5baAY/ca+HgYp/nBgROD4rRslkn 7KCQdKUC65E27v5ZA60/l4ZqsBTx7Jbh8446umZSCiWs44b0iX4ez9d0 zgoPig== ;; Received 1200 bytes from 192.36.148.17#53(i.root-servers.net) in 14 ms hackradt.com. 86400 IN DS 2371 13 2 A186B81B9089ECB57752A20B7B6F70A54B9A7EC7722DB1A75C34EA33 F810E098 hackradt.com. 86400 IN RRSIG DS 13 2 86400 20250813022949 20250806011949 20545 com. IGGaC5MlqxDYc/Lz9D1GpMtTJF1apUu/HcYp1LK747msVxvXnyadooEw 9K42ELwb0ESD5QpdhetYN+nQkGy6sw== com. 172800 IN NS m.gtld-servers.net. com. 172800 IN NS g.gtld-servers.net. com. 172800 IN NS c.gtld-servers.net. com. 172800 IN NS i.gtld-servers.net. com. 172800 IN NS b.gtld-servers.net. com. 172800 IN NS k.gtld-servers.net. com. 172800 IN NS e.gtld-servers.net. com. 172800 IN NS j.gtld-servers.net. com. 172800 IN NS d.gtld-servers.net. com. 172800 IN NS f.gtld-servers.net. com. 172800 IN NS l.gtld-servers.net. com. 172800 IN NS a.gtld-servers.net. com. 172800 IN NS h.gtld-servers.net. com. 172800 IN RRSIG NS 13 1 172800 20250812002506 20250804231506 20545 com. c46CDTFjI2WMA5mRS+9duzqkVSh/ewmXqa5cGOCI/Y/8BbCulughdCFU vQOAyqicgA+3pAr4TVncozHUfwRc3w== ;; Received 1083 bytes from 192.33.14.30#53(b.gtld-servers.net) in 25 msThis can also be viewed in a flow chart with https://dnsviz.net/d/hackradt.com/dnssec/
-
Desec is great but we hit issues when doing a restore onto a new IP address - we were locked out of desec.io due to rate limiting
We had a chat with the support and they suggested that cloudron could consider using their batch api to reduce the number of requests
But as we need to be able to recover without being locked out (out of hours) we switched to hetzner DNS instead.
TLDR; desec.io are great, the support is very good, however their rate limiting is somewhat aggressive and may catch you out in a bind.
