By Ryan McGinn
Creative Computron
I wanted to setup DNSSec and DANE for my mail server but it wasn’t available with Digital Oceans DNS.
The solution on here was to setup your own Authoritative DNS Server. I set it all up and tested on one domain first which was a .com and it went absolutely flawless on the first try.
I switched all my other domains over which were .CA and everything S#*& the bed horribly. Apparently my country’s TLD follow the IANA requirement of all name servers must resolve to unique IPs strictly. Dot COMs where much more easy going for whatever reason and let me cheat the secondary NS failback. I understand why you should have a proper fallback but for my uses it is fine.
-
It would be really nice if Digital Ocean added DNSSec into their DNS. I really don’t care about running my own DNS service even though the vanity name servers look fantastic.
-
I didn’t want to invest more into other services to get a secondary DNS. I did see some free ones but they either didn’t support DNSSec or had a limit of say 50 total records and I have about 15 x 6 domains. The other request limits were fine as I have light traffic other then the standard issue bots. Anyone have a good alternatives or do I just ditch idea of DANE.
Cheers Ryan
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Hello there,
It’s great that you’ve tried to set up DNSSEC and DANE for your mail server to enhance security. However, I understand that it can be challenging to manage your own authoritative DNS servers, especially when dealing with different top-level domains (TLDs) that have different requirements and restrictions.
If you don’t want to run your own DNS server to support DNSSec and DANE, here are some alternatives:
-
Managed DNS services: These services take care of managing your DNS for you, including DNSSec and DANE support. Some popular managed DNS services includding DigitaOcean, Cloudflare DNS and etc. These services can be a good option if you want a reliable and secure DNS solution without the hassle of managing your own DNS servers. However, they may have a monthly fee.
-
Secondary DNS providers: If you prefer to keep DigitalOcean as your primary DNS provider, you can use a secondary DNS provider for redundancy and to comply with IANA requirements.
-
Domain registrar DNS services: Some domain registrars also offer DNS services with DNSSec support. If you manage your domains with a registrar that offers DNS services, you may want to consider using their DNS services to simplify your DNS management.
-
Ditching DANE: If managing DNS for your domains becomes too complex or costly, you may want to consider not implementing DANE at this time. DANE adds an extra layer of security to email communication by tying certificates to DNS records, but it is not a strict requirement for running a mail server. You can still use Transport Layer Security (TLS) with a valid SSL/TLS certificate to secure your mail server.
Ultimately, the best option for you will depend on your specific needs and budget. If DNSSec and DANE are essential for your setup, consider using a managed DNS provider or a secondary DNS service. If you can live without DANE for now, focus on making sure your mail server is properly configured for secure email communication using TLS.
I hope this is more helpful!
Become a contributor for community
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
DigitalOcean Documentation
Full documentation for every DigitalOcean product.
Resources for startups and SMBs
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
The developer cloud
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Get started for free
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.