DNSSEC - DNS/domain providers that enable DANE DNS records [closed]
Our company registered domain "example.eu" with Gandi which has a "one click solution" to enable the DNSSEC for our domain's zone. So we enabled it, waited until dnsviz inspection tool showed us that our parent zone (.eu) got the hashed public KSK from Gandi and they published it in their DS record that now authenticates our zone "example.eu").
We were also expecting from Gandi to send us the private KSK so that we could continue the chain of trust but they haven't sent anything. On their site it is also impossible to add any kind of DNSSEC DNS records like TLSA, DS...
So it looks like they support DNSSEC but don't support DANE authentication... Probably they would loose some buisness because DANE works with self-signed certifficates and would prevent companies like Gandi to make easy money by playing a role of CA and selling certifficates. DANE is a direct replacement for system of stupid CA authorities that works with self-signed certifficates!
So does anyone know of a better domain registrar that would offer us ability to manually add DANE records like DS, TLSA...?
We need TLSA records support in order to authenticate Postfix e-mail server using DANE and we need DS records support to authenticate any other physical machine using DANE and therefore continue a chain of trust.
Gandi supports DANE TLSA
records and further secure delegation (DS
records) via their LiveDNS API:
RecordType
One of :
A, AAAA, ALIAS (not yet supported with dnssec-enabled domains), CAA, CDS, CNAME, DNAME, DS, KEY, LOC, MX, NS, OPENPGPKEY, PTR, SPF, SRV, SSHFP, TLSA, TXT, WKS