On 07/01/2015 3:02 PM, Viktor Dukhovni wrote:
On Wed, Jan 07, 2015 at 02:44:11PM -0500, James B. Byrne wrote:
This is exactly our situation. We presently use DLV. I can get our
upstream registrar to manually add DS RRs for our .com, .net; and I
believe our .org tlds. But they will not do so for our principal tlds
that belong to .ca.
Paul Wouters has a perfectly good DNSSEC .ca domain:
nohats.ca. IN MX 10 mx.nohats.ca. ; NOERROR AD=1
_25._tcp.mx.nohats.ca. IN TLSA 3 1 1
462573195c86e861abab8eccfbc7f0486958efdff9449ac10729b3a0f906f388 ; passed
Domain name: nohats.ca
Domain status: registered
Creation date: 2011/11/28
Expiry date: 2015/11/28
Updated date: 2014/10/30
DNSSEC: Signed
Registrar:
Name: Tucows.com Co.
Nonetheless, as we have many domains registered
with them, and have been using them since 2000 March 26, we are
reluctant to change providers.
CIRA's answer is to change registrars. That is the easy out, for them.
The difficulty being the administrative and financial costs of doing
so for us.
So, we await developments and in the meantime employ DLV.
I had the same problem, my domain klam.ca (the family site which I use
for experimenting) was registered with Tucows who could not, would not
provide DNSSEC support for .ca. I switched to Gandi for all my domains
the cost was reasonable and the provide a usable DNSSEC update console.
The "value" of DLV is rather limited, I personally would not bother.
If you actually want DNSSEC, switch registrars. Otherwise, wait for
yours to get on-board.
Anyway, this is somewhat off-topic for Postfix, so we should delve
into too deeply.
