Where we are with DNSSEC

From time to time we get questions on DNSSEC support. There are many parts to DNSSEC, but here’s we we stand as of this post:

Our Secondary DNS service (which is based on BIND9) has supported DNSSEC for several years and we have received confirmed reports from some of our customers that use the secondary service that it does work. The Primary DNS service does not support it at this time since it’s based on a version of PowerDNS that lacks DNSSEC support. However, the next release version of PowerDNS will have it, at which point we can work on integrating it into our control center.

On the network side we do not employ any type of mechanisims that try to be “smart” with manipulating DNS traffic incorrectly. Further to that, both UDP and TCP are open for DNS traffic. Contrary to popular belief, DNS queries can use TCP for queries other than AXFR if the UDP query failed, so we allow both.