Trying to Set Up DNSSEC WITH 1&1 (IONOS)

I contacted my website’s host (1&1 aka IONOS) with the hope that I could implement clouflare.com’s DNSSEC protection for my website. While they claim that they provide DNSSEC (for a yearly fee, of course) - however, cloudflare.com offers this service via proxy at no charge.

Here is the “live chat” conversation I had with the 1&1 representative earlier today:

1&1
*Hi, thank you for contacting 1&1 IONOS, how can I help you *

Customer
I would like to add a ds record to my account, in order to enable DSNSEC through cloudflare. I do not see an option to submit a ds record in the DNS section of my account.

1&1
We understand that you would like to add that record however 1&1 IONOS does not have that function as we are not using Cpanel or Plesk interface.

Customer
Is there any way for me to use DNSSEC through cloudflare?

1&1
1&1 IONOS does not have that feature. If you would like to activate DNSSEC on your domain, we do have that as an additional feature which is called Domain Guard.

Customer
What is the name of the web server panel that you use?

1&1
We do have our own interface, we do not use cPanel or Plesk in shared hosting .

Customer
Is there currently a ds file associated with my webspace?

1&1
I cannot see any ds file on your webspace.

Customer
Does that mean you do not have access but it is possible that I do have a ds file? Or were you able to look and see that I do not have one in the place that it should be? Does that mean you do not have access but it is possible that I do have a ds file? Or were you able to look and see that I do not have one in the place that it should be?

1&1
You may check on your webspace, just go to hosting & and choose WebSpace and click “Use Webspace” If you want to activate DNSSEC for your domain, you need to have the Domain Guard as we do not support ds records as well Yes its possible with other provider as they support ds records as well. We do not use cPanel or Plesk we have our own interface.

After reading some articles here on Cloudflare, I found ICANN’s Registrar Accreditation Agreement located here: https://www.icann.org/resources/pages/approved-with-specs-2013-09-17-en

Upon doing a keyword search for “DNSSEC”, I found near the bottom of the document it says:

  • ADDITIONAL REGISTRAR OPERATION SPECIFICATION

This Specification may be modified by ICANN from time to time after consultation with the Registrar Stakeholder Group (or its successor), provided that such updates are commercially practical with respect to the registrar industry, taken as a whole.

  1. DNSSEC Registrar must allow its customers to use DNSSEC upon request by relaying orders to add, remove or change public key material (e.g., DNSKEY or DS resource records) on behalf of customers to the Registries that support DNSSEC. Such requests shall be accepted and processed in a secure manner and according to industry best practices. Registrars shall accept any public key algorithm and digest type that is supported by the TLD of interest and appears in the registries posted at: http://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xml and http://www.iana.org/assignments/ds-rr-types/ds-rr-types.xml. All such requests shall be transmitted to registries using the EPP extensions specified in RFC 5910 or its successors.*

Can I interpret this to mean ICANN doesn’t want any registrars to withhold the use of DNSSEC by those who do not want to pay for it? If so, 1&1 is obligated to (at the very least) allow me to submit the appropriate information so I can utilize cloudflare’s DNSSEC option.

I reported 1&1 to ICANN using their form.

What do you all think?

1 Like