DNSSec with Digital Ocean - Strict NS unique IP failback policy enforced with .CA's

I wanted to setup DNSSec and DANE for my mail server but it wasn’t available with Digital Oceans DNS.

The solution on here was to setup your own Authoritative DNS Server. I set it all up and tested on one domain first which was a .com and it went absolutely flawless on the first try.

I switched all my other domains over which were .CA and everything S#*& the bed horribly. Apparently my country’s TLD follow the IANA requirement of all name servers must resolve to unique IPs strictly. Dot COMs where much more easy going for whatever reason and let me cheat the secondary NS failback. I understand why you should have a proper fallback but for my uses it is fine.

  1. It would be really nice if Digital Ocean added DNSSec into their DNS. I really don’t care about running my own DNS service even though the vanity name servers look fantastic.

  2. I didn’t want to invest more into other services to get a secondary DNS. I did see some free ones but they either didn’t support DNSSec or had a limit of say 50 total records and I have about 15 x 6 domains. The other request limits were fine as I have light traffic other then the standard issue bots. Anyone have a good alternatives or do I just ditch idea of DANE.

Cheers Ryan

Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer