On 25 Apr 2014, at 12:23, lst_ho...@kwsoft.de wrote: > Zitat von Viktor Dukhovni <postfix-us...@dukhovni.org>: > >> On Wed, Apr 23, 2014 at 04:54:44PM +0200, lst_ho...@kwsoft.de wrote: >> >>> Are there any experience with DNSSEC capable DNS Providers at the lower cost >>> range suitable for KMU? >> >> I've not looked at the cost of full-service DNS outsourcing. Some >> of the .org registrars are quite cost-effective and have decent >> DNSSEC support (I am paying $8/year for dukhovni.org and the >> registrar's DNSSEC interface is an easy to use web form). >> > > That's what we would need for .de and .com domains.... > >>> We are now at a quote for ~300 Euro/month as all-inclusive-DNS (web based >>> management, automatic key handling, anycast etc.). >> >> I assume that's for multiple high-traffic domains? The tools for >> self-hosting DNSSEC domains are getting better and easier to use, >> so one certainly does not need to pay that kind of money unless >> one needs DDoS protected DNS for multiple high-value/high-traffic >> domains. > > Not at all. While the provider does deliver most of this we actually don't > need it because our traffic is rather low. We only need full outsourced DNS > with DNSSEC and TLSA + SMIMEA records in the future. Unfortunately at least > for the .de only a few providers offer DNSSEC at all and it looks they are > all on the higher price side :-( > > Will search a little more to see what we got.
If you don't mind setting the key at the registrar once a year, it should need to be anywhere near that expensive. All you need is a registrar that allow you to enter the KEYDATA for your .de domain, and something like Dyn's Managed DNS Express. That starts at $5 a month for up to two domains. Anycast, DNSSEC support etc. We've been using them for ourselves and our customers for a while now. It really is as simple as rolling the KSK once a year, the ZSK every month will automatically rotate for you. I bet there are others out there who offer DNSSEC, too. One of our local cloud providers does it by default if you host it on their servers. It can be frustratingly hard to find though, if you're looking for it. Not sure about TLSA/SMIMEA records, though. Do those require specific support from the DNS provider? Mvg, Joni
