As you may have seen in my last post, I have been fiddling with dnscrypt lately. Well, I also picked up dnscrypt.ca and setup a web site there. I used letsencrypt/certbot to SSL it, and I bought it from canspace.ca since they support DNSSEC (while 10dollar.ca does not). Turns out it isn't that simple. canspace.ca doesn't have any way to add the required resource records in their DNS Manager. I opened up a support ticket and they replied that they must create the DNSSEC records manually. So I submitted a list of records I wanted signed, but it still isn't working. Seriously, this should not be difficult.
Now CIRA is the organization that is supposed to manage the .ca TLD, and frankly I would think that they should have a fair bit of the responsibility of encouraging DNSSEC use. After all, their web site does say:
Domain Name Security Extensions (DNSSEC) is a critical upgrade to the security of the Internet by protecting users against attacks such as those listed above.
In 2014 CIRA implemented DNSSEC capability in the Registry and worldwide their has been a significant push for the implementation of the DNSSEC.
But where is this "significant push"? I don't see any push at all to use DNSSEC. What exactly has CIRA done to encourage registrars to provide DNSSEC support? My current registrar doesn't support it, and doesn't seem very interested in supporting it, and the new registrar has to manually make DNSSEC entries. This is pretty inconvenient since those entries would have to be redone any time there are changes to any DNS records. It can't be realistic to think that people would open a support ticket every time they want to migrate to a new server or host, or if their IP address changes.
So far I am pretty disappointed with DNSSEC support... so it doesn't look good for DANE support either eh? Am I seriously going to have to consider dumping my .ca domain name in favour of a TLD that has actively security conscious registrars? That would be really disappointing. :-(