Njalla adds DNSSEC support

Your favorite privacy-aware domain registration service now supports DNSSEC with the click of a button. I’m not exactly sure when this got added, but DNSSEC is now available for selected TLDs.

Yesterday, after logging in to my account to modify my DNS records, I discovered that I now had the option to enable DNSSEC for my domain.

Njalla DNS management

Njalla DNS management now offering DNSSEC support

I decided to go ahead with enabling DNSSEC and within the hour the zone was signed and published, meaning resolvers would now be able to validate the authenticity of the DNS data.

Granted, I’m not a diehard believer in DNS Security Extensions by any means (why trust DNS at all?), but regardless, DNSSEC is an anticipated addition to Njalla’s service.

DNSSEC paranoid edition

The only objection I have with Njalla’s DNSSEC implementation is that I find it to be a somewhat excessive. KSK pairs with a key length of 4096 bits and ZSK pairs with a key length of 2048 bits is a bit (pun intended), erm, dare I say paranoid.

The issue with this approach is the time and resources spent on validating signatures. Especially when using the RSA/SHA256 algorithm that produces large signatures, and by consequence, large responses.

You may admire these previously mentioned obese public keys for yourself by issuing the command:

dig +short DNSKEY paranoidpenguin.net
257 3 8 AwEAAZHOhdBEhwSeIIUStDAQ7QSTNvCsuOY/tDq7/OKychutf6NJ3ouW...
256 3 8 AwEAAYeoJeKDQE57rG7zb4eEuPuw5ECsU3SdWN/L93Iq6xH1UnVlxrkb...

For comparison, the image below show the response size when querying the SOA records for my two Njalla managed domains. Paranoidpenguin.net on the left is signed, Paranoidpengu.in is not:

DNSSEC - Query response size

Roger Comply avatar
Roger Comply
Thank you for reading!
Feel free to waste more time by subscribing to my RSS feed.