Hacker News new | ask | show | jobs
Ask HN: Should I enable DNSSEC for my start-up?
1 points by Nizumzen 4574 days ago
As the title really. Should I make the effort to enable DNSSEC for my start-up? At the moment I'm currently using Amazon Route 53 but could move to custom DNS servers if supporting DNSSEC is considered important enough.

My start-up is directed at very technical users (developers primarily) so I get the feeling that they will appreciate the extra security that DNSSEC provides but at the same time running my own DNS is an extra expense that might be better used for something else.

Another advantage of running my own DNS servers is that I can supply DNS services to clients as well which would be a nice little add-on for them.

What would you do?
2 comments
donavanm 4574 days ago
What compelling business need is there for DNSSEC? The only thing I can think of are some of the compliancy rules for gov/corp work coming up in 2014 & 2015. Unless DNSSEC makes you money youre wasting your time.

Secondly any comment that trivializes DNSSEC implementation has little real world experience. Go read the DNS OARC archives. Major orgs, .gov, TLDs, etc, regularly break DNSSEC deployments. These are the domain experts who are pushing Wider adoption. If they can't consistently execute why do you believe you will be successful?

link
Nizumzen 4574 days ago
I don't think I claimed that implementing DNSSEC was easy.

But I'll certainly take your advice about reading the archives to get some perspective.

link
Arnt 4574 days ago
Pro: It's not much trouble, DANE and other things will make it worthwhile, and it's easier to do when you can still have a bit of downtime without pain.

Contra: There's always much to do in a startup. Deferring tasks is good, even though they'll be more difficult later.

There are a few providers around who'll do most of the job for you. It's called a "hidden primary", and easydns offers it, among others.

link
Nizumzen 4574 days ago
Thanks for the comment. I'll look into EasyDNS and see what services they provide.

I may well take your advice and just go with a normal DNS deployment and then later on when I have more time make more of an effort to deploy DNSSEC.

link