Please provide feature to enable DNSSEC to secure the DNS.


I second this suggestion. Salient parts of this feature may include:

[]on user action: generate keys (ZSK, KSK), publish in zone, sign zone
]accept user-generated keys (ZSK, KSK), publish in zone, sign zone
[]accept user-specified NSEC3PARAM record, generate NSEC3 chain
]if DreamHost is registrar: install secure delegation (DS) in parent zone
[]if DreamHost is not registrar: report to user fields required to install DS in parent zone via registrar
]accept user-specified DS record for child zone (NS)
[*]accept user-specified TLSA records for hosted services


I also second this suggestion, but given correct DNSSEC implementation—especially for a large hosting company such as yourself is long, complicated, and fraught with danger not only for yourselves but also your customers (it’s incredibly easy to botch key rollover in a manner that breaks your domain—just ask NASA—or compromises security), I’d like to make an additional suggestion.

First, and as a matter of priority, provide a method that allows DS records[1] to get from the registrant (DreamHost customer) to the registry in a secure fashion. E.g. have a button next to a domain registration (mark it ‘advanced’, and include the usual “Warning! Danger, Will Robinson!” disclaimers) that allows a customer to supply their own DS record data, which you then securely transmit to the appropriate registry. This will allow customers with their own DNSSEC implementations to secure DreamHost-registered domains.

A full DNSSEC implementation for the DreamHost DNS service is essential, IMHO, but allowing customers to provide their own DS records should be relatively trivial and would get the early adopters—like me—off your back. :slight_smile:

Forwarding DS records to the registry is the only thing needed for customers to run their own DNSSEC; no DreamHost-registred domain can implement DNSSEC (without look-aside validation) without this.

[1]: A DS record contains a key ‘fingerprint’, which facilitates the chain of trust in DNSSEC. The root (.) zone contains a DS record for .net, which verify’s the key in .net’s DNSKEY record; .net contains a DS record (not yet!) for calrion.net, which verify’s the key in calrion.net’s DNSKEY record. More info at Wikipedia.


didn’t see anything newer. so i’ll bump this one.

The ICANN registrar agreement requires that as a registrar you support DNSSEC to the point of allowing me to add a DS record with all of the available DS algorithm types.

I’ve signed up with cloudflare directly and would like to enable dnssec. But I’ll have to transfer my domain registration to someone else since you dont support DS records


I’m at Cloudflare and enabled DNSSEC over there. I had to transfer all my domains over to Hover before I could get DNSSEC up and running.

After all that, I know the DNSSEC is working, but I’ve not seen proof that my Mac is checking DNSSEC. All the test sites say my resolver doesn’t support it.

If my up to date Mac isn’t using DNSSEC, then what’s the point? From my limited perspective, not many people will benefit.