Today I learned that signal.org doesn't deploy DNSSEC. 🙄 It's 2020…
@sheogorath Neither does Route 53. Which is a shame, but I'm not willing to administer a BIND or similar resolver.
@nathand Sorry, but I think there is a lot of grey area to cover between "I use provider A that doesn't cover DNSSEC" and "I have to operate DNS all myself". There are a ton of providers out there that provider proper DNSSEC support these days. Even a lot that I usually wouldn't recommend for other reasons.
I think it's too cheap to say "Amazon doesn't do it, so I can't do it".
@sheogorath Okay, well, thanks. I think that was a bit harsh.
Several popular DNS hosting services I've checked out don't yet support DNSSEC, like Hurricane Electric, Windstream, Route 53 and more. I don't think it's entirely unreasonable to to be hosted on a decent service that for one reason or another doesn't yet support DNSSEC endpoints.
Amazon is priced right for my purposes and while it doesn't support DNSSEC, I'm not sure it falls under the "critical need" column, either.
@nathand It wasn't intended to judge you, but I think there is a range of action one can take. And while no one can take all actions, one might want to consider the options. And yes, while a lot of DNS vendors don't support DNSSEC, pretty much all common TLDs do, as well as vendors ranging from namecheap and INWX over Cloudflare and Clouddns to Gandhi and deSEC. With all different price points from "free" to pricey as well as pretty much all feature sets I can think of available.
@sheogorath I'm looking at the alternatives. There are good services out there and Hurricane Electric or 1984 both look really decent. DNSSEC is just one of those things that while perfectly fine to implement, doesn't seem critical for most setups. I understand why it's important, though.
This is my personal microblog. It's filled with my fun, joy and silliness.