On Mon, Jul 27, 2020 at 10:55:31PM +0000, Antonio Leding wrote:
> Thanks Victor - actually watching some of the presos now…
>
> BTW…any choice you like for DNSSEC providers? Google seems like a safe bet
> but I figured you might have some feedback on this as well…
I self-host, so my direct experience is limited. Google are signing a
lot of domains lately. On any given day, most of the newly signed
domains are operated by them, so they certainly are doing it at scale.
In Europe, there are many providers that also host DANE TLSA RRs for
their DNS+MX hosted domains.
one.com
transip.nl
domeneshop.no
...
https://mail.sys4.de/pipermail/dane-users/2020-July/000571.html
Though somewhat out of date (I update it infrequently), the below shows
which MX-hosting providers have many DNSSEC-signed customer domains:
http://dnssec-stats.ant.isi.edu/~viktor/hosters.html
Cloudflare also does DNSSEC hosting, but does not do much if any email
hosting, so don't show up in the above stats. At some point I should
starting populating NS and/or SOA records to the DANE survey database,
which would provide better insight into who operates DNSSEC-signed
domains. Presently, I only collect the DS, DNSKEY, MX, A, AAAA and
TLSA RRs, which cover the MX-operator, but not the DNS operator.
--
Viktor.
