Gandi Bar - DNSSEC at Gandi (UPDATED) - Comments

DNSSEC at Gandi (UPDATED) - Thomas (Gandi)

Thomas (Gandi) — Tue, 15 May 2012 18:27:00 -0400

Some of you have been asking about securing .info domains with DNSSEC at gandi.net. The .info extension is compatible with DNSSEC (it can be signed), but we have not implemented the interface to support it yet.

DNSSEC at Gandi (UPDATED) - Nicolas (Gandi)

Nicolas (Gandi) — Mon, 30 Apr 2012 04:07:53 -0400

Gian: it's already available on .com

DNSSEC at Gandi (UPDATED) - Gian

Gian — Sun, 29 Apr 2012 11:28:58 -0400

What about .com domains? When DNSSEC will be available for those domains?

Thanks

DNSSEC at Gandi (UPDATED) - Thomas (Gandi)

Thomas (Gandi) — Mon, 23 Apr 2012 10:22:28 -0400

Hi Walter,
It's all about maintaining a trust chain from the authoritative servers. You don't need to get a cert from a CA, just get the public key(s) of the zones you want to use as trust anchors. You can then generate and sign your keys using bind.
Here's a tutorial you can check out:
http://www.nlnetlabs.nl/publication...
Enjoy!

DNSSEC at Gandi (UPDATED) - Jonas B.

Jonas B. — Fri, 20 Apr 2012 14:59:44 -0400

Worked like a charm! Thanks!

DNSSEC at Gandi (UPDATED) - Walter

Walter — Fri, 20 Apr 2012 01:41:32 -0400

Does this require Verisign/Thawte or is self-signed OK? And if OK, would it cause any problems?

DNSSEC at Gandi (UPDATED) - Alex Dupuy

Alex Dupuy — Mon, 16 Apr 2012 13:04:55 -0400

This is great - between this and IPv6 support, I will be transferring my .us registration to you. My current registrar (dyn.com) provides IPv6 but not DNSSEC support for .us (at a very slightly higher price) and I was looking at some of the cheaper services (namecheap.com, name.com) but I have only one domain, I'd rather get better support for what I am already paying than save a few $$$. BTW, found your service through comments on the xkcd blag - better than advertising, but you should buy a t-shirt from Randall for the business you'll be getting that way.

DNSSEC at Gandi (UPDATED) - Romuald

Romuald — Tue, 20 Mar 2012 05:42:18 -0400

@Kyhwana
You'll be able to push the DNSKEY record using the control panel (as we compute the DS record on our side).
The API isn't live yet, but it should be quite soon (since our website use it :p)

Concerning the transfer, we don't import DS records automatically yet. Send a mail to support asking to import records (after the transfer is finalized), then you should be able to delete it from your control panel.

DNSSEC at Gandi (UPDATED) - Kyhwana

Kyhwana — Mon, 19 Mar 2012 18:03:07 -0400

Hmm, is .org available yet? Am I able to push new DS keys for .org using your API/control panel?

I shifted to name.com because you guys kept dragging your feet on DNSSEC, only to discover that name.com can't delete DS keys. -.-

If I shift my .org domain back, will you be able to delete that DS and let me reupload a new one?

Also, the .nz root domain is signed, just not any of the 2nd level domains under it, will you support .nz when those get signed?

DNSSEC at Gandi (UPDATED) - jordan shoes

jordan shoes — Sun, 18 Mar 2012 07:12:11 -0400

dragging feet I started to move domains away. But after the first one went away you enabled DNSKEY options.

DNSSEC at Gandi (UPDATED) - DickVisser

DickVisser — Sat, 17 Mar 2012 14:33:13 -0400

After 2 years of dragging feet I started to move domains away. But after the first one went away you enabled DNSKEY options.
So you guys just saved yourselves a customer!

DNSSEC at Gandi (UPDATED) - Nicolas (Gandi)

Nicolas (Gandi) — Sat, 10 Mar 2012 17:42:00 -0400

Dubya:we will have a look at it...it's just a question of test and adaptation of our system. If the DNSSEC implementation at the registry is quite standard, it's easy to add.

DNSSEC at Gandi (UPDATED) - Dubya

Dubya — Sat, 10 Mar 2012 10:35:26 -0400

.li and .in also supports DNSSEC (according to https://en.wikipedia.org/wiki/List_...). Why don't you offer DNSSEC on these?

DNSSEC at Gandi (UPDATED) - rudivd

rudivd — Fri, 09 Mar 2012 13:59:56 -0400

Wow, this is the best thing since the invention of the wheel I would imagine !
Thanks all of you at Gandi, you guys Rock !
Go set it up asap !

Rudi

DNSSEC at Gandi (UPDATED) - Somebody

Somebody — Fri, 09 Mar 2012 10:36:52 -0400

Thanks for implementing this.

DNSSEC at Gandi (UPDATED) - Nicolas (Gandi)

Nicolas (Gandi) — Thu, 08 Mar 2012 05:27:55 -0400

Rebeca: no news about .PE and DNSSEC, I will contact the registry about it
Evaryont: it won't be included in our next reelease for sure, we target it for the following (end of march/beg of April)
Treyka: Thxs, I made a request to ICANN about it

DNSSEC at Gandi (UPDATED) - treyka

treyka — Thu, 08 Mar 2012 01:31:38 -0400

Yes! Thanks for implementing this! Took a while but good job, y'all!

Now you guys should see about getting the ICANN list updated: http://www.icann.org/en/news/in-foc...

DNSSEC at Gandi (UPDATED) - Evaryont

Evaryont — Thu, 08 Mar 2012 00:24:29 -0400

Is there a time table available when the .at and .me domains will have DNSSEC available?

Thanks for this!

DNSSEC at Gandi (UPDATED) - Rebeca

Rebeca — Wed, 07 Mar 2012 15:08:15 -0400

Do you know when the .pe domain will be compatible with DNSSEC?

DNSSEC at Gandi (UPDATED) - Lennie

Lennie — Wed, 07 Mar 2012 04:54:13 -0400

Cool thanks

DNSSEC at Gandi (UPDATED) - Thomas

Thomas — Tue, 06 Mar 2012 21:09:42 -0400

Lennie,
Yes, we will be putting the DNSSEC functions we now have in the GUI under the API. That's a fairly easy thing to do, so we hope to roll it out soon.

DNSSEC at Gandi (UPDATED) - Lennie

Lennie — Tue, 06 Mar 2012 20:58:55 -0400

@Michael Moore Would you answer my question too ?:

Will you be adding the ability to update the trust-anchors through the Gandi XML-RPC API also so it can be automated ?

That should be a lot less work to add I would think.

DNSSEC at Gandi (UPDATED) - Michael Moore (Gandi)

Michael Moore (Gandi) — Tue, 06 Mar 2012 20:48:09 -0400

Yes, it is only allowed for external nameservers and not yet for Gandi's nameservers yet. We are working on making it available on Gandi's nameservers, but that is a significant undertaking, considering the amount of domains registered with us and the large majority of them using our nameservers.

DNSSEC at Gandi (UPDATED) - Lennie

Lennie — Mon, 05 Mar 2012 20:27:24 -0400

@plc I don't know if you understand English, but I think that means that your domains are using Gandi nameservers. You can currently only use DNSSEC with your "own" nameservers. It was also mentioned in the article.

DNSSEC at Gandi (UPDATED) - plc

plc — Mon, 05 Mar 2012 04:23:53 -0400

Sur mon tableau de bord, sur mon .com DNSSEC est grisé et il y a marqué en popup "L''utilisation de DNSSEC est actuellement impossible sur les DNS de Gandi"

Idem sur mes .fr, .biz, .net...

DNSSEC at Gandi (UPDATED) - Lennie

Lennie — Sun, 04 Mar 2012 15:47:12 -0400

Thank you for that, very cool.

Will you be adding the ability to update the trust-anchors through the Gandi XML-RPC API also so it can be automated ?

DNSSEC at Gandi (UPDATED) - Romuald

Romuald — Sun, 04 Mar 2012 05:48:06 -0400

@Stéphane
We've passed the .org registry certification last friday, so it should be available this week on your control panel.

DNSSEC at Gandi (UPDATED) - Stéphane Graber

Stéphane Graber — Sat, 03 Mar 2012 21:45:21 -0400

Thanks for finally implementing this!

Now I guess I just need to wait for .org to appear on the list (mine is currently signed and published in the DLV as a workaround ...).