4

I own a domain name via Google domains and my website is hosted as a shared account with Dream Host. I see that both provide DNSSEC vs old DNS. I was thinking to enable it.

But before I do so, I was wondering what are the downsides of enabling DNSSEC for your website, if any?

c00000fd
  • 505
  • 3
  • 6
  • 11
  • "I was wondering what are the downsides" By itself, DNSSEC, like absolutely anything else, has drawbacks indeed (basically the DNS provider should be careful on how it handles keys/signatures which relates to having good monitoring), so to have this question it means you need to put it into perspective with its advantages and see if the balance goes into the correct direction for your use case. But what is your use case? What are you trying to defend against? What are your constraints and budgets? Note that DNSSEC is not "new DNS" (you say "DNSSEC vs old DNS") it is an extension over DNS. – Patrick Mevzek Feb 25 '20 at 17:23

1 Answers1

2

If you enable the DNSSEC, for most of the clients it's a no-op. As they are highly unlikely to verify the signatures, etc.

Yet, for these who do verify, enabling DNSSEC for the domain is somewhat a one-way road. I don't know the provider you mention, but in order to transfer such a domain to a different 3rd party DNS service, you would need both:

  • support at the old vendor to extract the private keys,
  • support at the new vendor to import external private keys.

Otherwise your DNSSec-enabled clients will see faults with domain name lookups in the transition period.

Patrick Mevzek
  • 9,273
  • 7
  • 29
  • 42
GrzegorzOledzki
  • 988
  • 6
  • 21
  • "As they are highly unlikely to verify the signatures" Clients do not do that. Recursive nameservers do, typically. – Patrick Mevzek Jan 03 '20 at 10:32
  • 2
    "but in order to transfer such a domain to a different 3rd party DNS service" There are other ways to do it than the one you describe, as the one you give ("extract private keys") will mostly never happen in real life (ex: in an HSM there is no way to extract private keys at all, by design) – Patrick Mevzek Jan 03 '20 at 10:33