[Feature Request] DNSSEC

[thetrusteeco]

I requested this from Kris a couple times in the past 2 years.  He offered to start the integration for $1000, but I might need to pay more if it turned out to be complicated.  That sounded too much like a $1000 quote to pique my interest.

I know that when Hexonet rebuilt the Hexonet module they were unable to implement DNSSEC due to lack of support in the HostBill core.
I also know that Vasicka Software built their Subreg modules they could not implement DNSSEC due to lack of support in the HostBill core.

Personally I believe that DNSSEC is as essential now, as SSL was a decade ago.

So what's DNSSEC?
Wikipedia: "The Domain Name System Security Extensions (DNSSEC) is a suite of Internet Engineering Task Force (IETF) specifications for securing certain kinds of information provided by the Domain Name System (DNS) as used on Internet Protocol (IP) networks."

Simpler: It's security-encryption for a domain's DNS that is supposed to stop certain types of attacks against websites.  It is also a requirement for Government websites in many countries, and for advanced PCI compliance (see here).

Which TLDs support DNSSEC? More might be added by the time you read this, I'll update the list if you let me know.
Short Answer: 111/317 TLDs as of today according to ICANN.
.ac, .ag, .am, .arpa, .asia, .at, .be, .bg, .biz, .br, .bz, .ca, .cat, .cc, .ch, .cl, .co, .com, .cr, .cx, .cz, .de, .dk, .edu, .eu, .fi, .fo, .fr, .gi, .gl, .gn, .gov, .gr, .hn, .in, .info, .io, .jp, .kg, .kr, .la, .lb, .lc, .li, .lk, .lr, .lt, .lu, .lv, .me, .mil, .mm, .mn, .museum, .my, .na, .nc, .net, .nf, .nl, .nu, .nz, .org, .pl, .pm, .post, .pr, .pt, .pw, .re, .ru, .sc, .se, .sh, .si, .su, .sx, .tf, .th, .tm, .tt, .tv, .tw, .tz, .ua, .ug, .uk, .us, .vc, .wf, .yt, .测试, .परीक्षा,  .한국, .испытание, .테스트, טעסט., .ලංකා, .測試, .भारत,  آزمایشی., .பரிட்சை, .δοκιμή, إختبار., .台湾, .台灣, مليسيا., .ไทย, .рф, .இலங்கை, .テスト
Additionally: the CentralNIC SLDs do support DNSSEC.

Which Registrars support DNSSEC? More might be added by the time you read this, I'll update the list if you let me know.
Short Answer: Not the LogixBoxes ones.
Internet.bs (no documentation I could find except this, but I have an account and it's there), Hexonet, InternetX, Name.com, Nominet, OpenSRS (limited support), OVH, RRPProxy, Subreg.cz
+Gandi & Godaddy (no HB modules yet?)

Which OS can use DNSSEC?
Short Answer: Pretty much all of them to some degree (great for cloud/vps/dedicated providors)
Any OS that can use BIND, GbDns, PowerDNS, or Unbound
BSD: FreeBSD, NetBSD, OpenBSD
Linux: (ArchLinux, CentOS, Debian, Fedora, Mac OS X, RHEL, Scientific Linux, Ubuntu
Others: Solaris, Windows

Which Control Panels support DNSSEC?
Short Answer: Not many, instead of listing those that do, I'll document what's happening. Feel free to provide updates.  I left out some great panels I couldn't find any documentation on DNSSEC for.
Atomia: Supported
cPanel: Under Consideration The Silence Echos!
DirectAdmin: Under Development
InterWorx: Under Consideration
ISPconfig: Under Consideration
ISPmanager: Under Development (in Russian), Twitter Tweet
Kloxo: In the Road Map, Feature #356
Plesk: Under Development
Webmin (and family): Supported for years

Note: I Edited the "Which OS can use DNSSEC?" from "Which OS support DNSSEC?" in response to Tallship's post.

[tallship]

I requested this from Kris a couple times in the past 2 years.  He offered to start the integration for $1000, but I might need to pay more if it turned out to be complicated.  That sounded too much like a $1000 quote to pique my interest.

Sounds like a bait and switch to me. There's a lot involved, more than most people even realize. Be careful asking them to develop support for something that, will be done anyway eventually, once it's truly neccessary

Personally I believe that DNSSEC is as essential now, as SSL was a decade ago.

No offense to Dan Kaminsky, but DNSSEC is truly evil, doesn't provide the security that people think it is supposed to do, instead hemming in and stifling openness and freedom of choice - further, DNSSEC doesn't, and hasn't prevented, or was it able to prevent ANY of the DNS Exploits that found BIND Servers vulnerable over the last five years.

I had high hopes for DNSCurve, which actually would have provided for the security that DNSSEC promised, but special interest groups like ISC and Trademark lobby muscled their way through with sheer brute-force-money, setting in motion an insecure and flawed model of security that only the best funded software projects could implement, and to date, only Unbound has done it well - if there is such a thing.

No, I'm not a fanboi of Bernstein either

MaraDNS, as an example of one alternative daemon, on the other hand, has proven impervious to all of those exploits. Those exploits targeted flaws in the design of BIND itself, not DNS Security in a way that DNSSEC could have prevented any such exploits.

PowerDNS, MaraDNS, djbdns, and Unbound are not vulnerable to the Kaminsky flaw, while BIND was wide open to it.

DNSSEC is an agenda pushed by the EVIL ICANN and Paul Vixie, his ISC, other cronies they're sleeping with out of wedlock, and is just yet another attempt at capturing a market of consumers whereby freedom and competing software products can be edged out. Now that we have DURZ, a/o about June 2010, there's no going back - Oh the infinite idiocy of the DoC, and the shrewd craftiness of ICANN and Verisign!

I could go on for days about this, but I won't (very much anyway, I actually can't resist refuting the DNSSEC baloney). I could site all sorts of papers, studies, NTIS public comments from renowned and expert researchers and scientist, blah blah.

http://www.esecurityplanet.com/news/article.php/3860016/DNSSEC-Compromised-Again.htm

Although the author mentions that he should have enabled DNSSEC, it would NOT have prevented the DDoS he talks about in the article here: http://www.theregister.co.uk/2013/03/28/i_accidentally_the_internet/

In fact, DNSSEC exacerbates amplification attacks making the damage even worse!

Here's an actual post from rob0 himself on the ISC lists from just a year ago. If you know him, or if you know who he his, you'll note that he's being exceptionally modest and diplomatic in his bashing of this most rancid technology of entrapment:
https://lists.isc.org/pipermail/bind-users/2012-February/086914.html

In all fairness, not that I will be fair about this because I am vehemently opposed to DNSSEC, I will include a Kaminsky article where he attempts to refute Bernstein, but read between the lines - there's a reason you don't trust the root when it comes to signing:
http://dankaminsky.com/2011/01/05/djb-ccc/

Kaminsky does give some credit where it's due here:

Second, I have a tremendous amount of respect for Dan Bernstein.  It was his fix to the DNS that I spent six months pushing, to the exclusion of a bunch of other fixes which (to be gentle) weren't going to work.  DJB is an excellent cryptographer.

And, man, I've been waiting my entire career for Curve25519 to come out.

Haven't we all (been waiting forever on him)?

Kaminsky should be applauded for PhreeBird, however.

Here's another (recent and heated) discussion about the lack of merits in DNSSEC, w/links to more sane and methodical discussion of DNSCurve:
https://news.ycombinator.com/item?id=4717673

More on the Kaminsky DNS flaw/exploit here: http://en.wikipedia.org/wiki/Dan_Kaminsky

BIND has always been a scary thing for us to run, even back in the 4.x days.

Which OS support DNSSEC? More might be added by the time you read this, I'll update the list if you let me know.
Short Answer: Pretty much all of them (great for cloud/vps/dedicated providors)
BSD: FreeBSD, NetBSD, OpenBSD
Linux: (ArchLinux, CentOS, Debian, Fedora, RHEL, Scientific Linux, Ubuntu
Others: Solaris, Windows

None of these OSes *Support* DNSSEC - They can't. They're operating systems. DNSSEC is a DNS thang, and as such, the correct question to ask is, "Which Authoritative DNS server software supports (implements) DNSSEC?"

This from the archives of the MaraDNS list a/o 20 April 2013:

A decade ago, DNS *was* something
simple enough that a single developer could write a viable DNS server
in their spare time for fun and for free.  That's why we got djbdns.
That's why we got MaraDNS.

But then DNS became a monstrosity — namely DNSSEC.  I would love to
give MaraDNS DNSSEC, but it is going to take serious cash to happen:

http://maradns.org/products.html

There is not a single recursive DNS server with DNSSEC out there that
was not funded.  Both BIND and Unbound — the only two recursive DNS
servers with DNSSEC — got serious corporate and government funding.
Those people did not deploy DNSSEC for fun and for free.  And it's
pretty damn unfair for you to ask me to do so.

There has not been a single release or update to djbdns for well over
a decade.  Despite not getting funding, I made a new MaraDNS release
earlier this year, and will probably make another one next year.
MaraDNS is getting updates — This year's release updated MaraDNS to
work with RedHat/CentOS 6.

The last thing I'm going to post on this subject is an LWN article, in lay terms, describing what DNSCurve is and how it works. There's plenty of links to other informative sources, and I encourage anyone who is considering drinking that DNSSEC kool-aid to stand back, look real hard, and see just what it really stands for, rather than what is supposedly promises to deliver:

http://lwn.net/Articles/340528/

I've been doing DNS since we introduced it in 1985. And this DNSSEC stuff is truly bad.

So... I voted NO.

[thetrusteeco]

Excellent reply Tallship.  I always like seeing a well documented alternate view, especially when you can work in the phrase "Evil ICANN"!    When did I become a pawn of the Evil ICANN?  I'm cringing 7 years ago and don't know why.

I respect your knowledge regarding DNS, and opinions regarding DNSSEC.

Personally, I've never had faith in DNSSEC (or liked BIND), but... "when it will be done anyway eventually" ... really, you think?  I think that ship has sailed; 1/3 of TLDs are on-board, what can turn this tide?  Too much money pushing it.  Have you seen the media-push for this thing in the EU?  The registries themselves are pushing it on the end-user with discounts, and publicly listing domains as secure or non-secure.

No disrespect, but I think you're like the last guy in the 1920 with an electric car saying "do you know how much carbon those gas guzzlers spit-out ... you'll be sorry".

Either way, if customers are looking for this magic-thingamajigger, or are told they have to have it for PCI compliance, and I say "no"... they leave.  Currently if required it, it's done manually, I'd rather give the customer direct control so there is no question of who messed up when the magic-thingamajigger doesn't work. 

Regarding OS Support, sorry if I over-simplified. I considered several ways wording that, but chose the simple route, as either the reader would know it is the DNS Server, or won't know (or care about) the difference. If you want to suggest a more accurate way of wording that, I'll update it.

This poll should be interesting now.

[tallship]

Regarding OS Support, sorry if I over-simplified. I considered several ways wording that, but chose the simple route, as either the reader would know it is the DNS Server, or won't know (or care about) the difference. If you want to suggest a more accurate way of wording that, I'll update it.

I really don't. You may be one of the few people here that actually understands those distinctions I've tried many different ways, many different times, and the only conclusion that I kept arriving at was that unless someone took the time to Read Cricket Liu's O'Reilly book, DNS and BIND, or otherwise engaged in actually implementing some of the practical examples over at http://www.zytrax.com/books/dns/ , then no matter how it's presented, and how convincing they are at telling you they finally understand - they don't, LOL.

You're right about that electric car thing too. One of my associates sat me down and said to me one day, "Look Bradley, I know you hate ubuntu. We both know it sucks, and I know you really don't want to support or provide it. But when it comes to the customer and what they want, isn't all money just as green as the rest?"

Similarly, and back when I was still teaching the MCSE program, and the CTO of an IT firm in San Clemente, the CEO sat me down in his office and said, "Bradley, you really need to stop selling those UNIX mail solutions based on Sendmail or Exim or Postfix to the clients. If they ask your opinion or to make a recommendation that's one thing, but when they ask for Exchange and you convince them otherwise, we never see them again until we have to train their new admins. When we sell them an Exchange solution, we get to bill them for services at least twice a month."

So yes, you're absolutely right on most of those points from the standpoint of the provider, as a provider. But where kbkp is concerned, I would still urge you not to succumb to letting him, for lack of a better term, ransom you into funding a project that will cost you, while being in his best interest to implement it on his own anyway

If you're sure that the ROI is there for you, then we all benefit in the long run, because the customers will ask, but I would hate to see someone shoulder that burden themselves when it really is something he should undertake on his own volition

Kindest regards,

[thetrusteeco]

I did edit the OS section a bit to clarify for those that care.

The reason I opened this poll is to determine if I'm the only Evil ICANN Pawn person requesting DNSSEC, or if others want it. It's been a hot button topic in the cPanel, DirectAdmin, and Plesk, forums for years, mainly from the .gov people and the Europeans (.nl, .uk, and .se users have been the most outspoken IMO).  Very little interest from the developers, who are probably hoping it'll just go away too (lots of "Do you really want this?" and "What do you think it does?").

I was surprised by Kris' reply.  It got me wondering if I was alone on this.  As for the $1000 quote, I get his perspective, it is a big (generally pointless) undertaking that many HostBill customers may have no use for.  I don't think he's trying to bait-and-switch, but I just wasn't going to give him a $1000 and then have him come back and say, you know, it's a lot bigger than I thought, I need $10,000 to finish.  Also, I didn't want to distract him from the bugs (my mantra).

Honestly, I'd love to be on the wrong side of this.  I chose the Registrars I use because their API supports DNSSEC.  If I switched to a LogicBoxes registrar I could drop prices on gTLDs.

[Patrick]

Sounds like a bait and switch to me. There's a lot involved, more than most people even realize. Be careful asking them to develop support for something that, will be done anyway eventually, once it's truly neccessary


No offense to Dan Kaminsky, but DNSSEC is truly evil, doesn't provide the security that people think it is supposed to do, instead hemming in and stifling openness and freedom of choice - further, DNSSEC doesn't, and hasn't prevented, or was it able to prevent ANY of the DNS Exploits that found BIND Servers vulnerable over the last five years.

I had high hopes for DNSCurve, which actually would have provided for the security that DNSSEC promised, but special interest groups like ISC and Trademark lobby muscled their way through with sheer brute-force-money, setting in motion an insecure and flawed model of security that only the best funded software projects could implement, and to date, only Unbound has done it well - if there is such a thing.

[Majority Snipped]

I'm not even going to say much else other then +1 this post.  Well said and kudos to a well written post.

Edit:

I kind of forgot to add in what i wanted to say to you thetrusteeco.  I believe tallship is correct.  Wait it out and they'll eventually do it anyway.  Fact he's asking $1000 is a joke.  He's one of the most expensive developers i've seen for the prices he charges.  It's madness. 

[maxim]

Yes, true I want add DNSSEC to subreg module but no luck.
When hostbill will support this, I will implement this. (for free of course, no additional payments)
This is too important for me and for many others i think.