DNSSEC & Namecheap

Dan

Moderator
Hey there!

The default resolv.conf file supplied by KH includes the localhost (127.0.0.1) which prevents us from changing to PowerDNS if we want to enable DNSSEC. Is the localhost reference needed or can it be changed? If it's changed is it going to revert on a reboot?

I read in a previous post by @KH-DavidL that Namecheap does not support DNSSEC, does anyone know if this is still the case? According to this page and this page it looks like they do at least for the majority of TLDs. However, don't you need DNSSEC for each DNS server? I see that you can 'Add New DS' but how do you associate them with your individual nameservers?

Is anyone actually using DNSSEC on their KH VPS using Namecheap as a registrar? Did you have any issues or am I making it more difficult than it really is?

Thanks!
 

KH-JonathanKW

Technical Support
Staff member
Hey Dan,

I don't use DNSSEC at NameCheap myself ; however -- only Bind is available for our OpenVZ (MVPS) plans.

The consistent set resolv.conf prevents any other DNS from being used; as upon reboot it does restore to the default resolv.conf.

I've attached an image straight from an OpenVZ VPS and the DNS Selection.

Only the Cloud VPS's or Dedicated Servers have the ability to maintain their own resolv.conf.

I'll let someone else chime in on the DNSSEC usage.
 

Attachments

Dan

Moderator
Hi Jonathan!

I thought that might be the case and unless I want to host my DNS externally (which I don't really want to do) whether or not Namecheap supports DNSSEC becomes a moot point :) However that doesn't mean I wouldn't be interested from hearing from people who are doing it!

Thanks Jonathan!!
 
Hello,

I use Namecheap "Advanced DNS"(Since 2016) and DNSSEC on my domain(.com) but not on the nameservers. I never thought about the nameservers to be honest. Not sure neither how to add them. I know to add my IPv6 nameservers that I had to open a ticket because the client portal only allowed IPv4 so maybe I will open a ticket with them to see about the DNSSEC for nameservers.

I do use Premium DNS at Namecheap because I have so much DNS crap pointing to so many different services all over the web that I decided to use Namecheap Advanced DNS because of the 1 min TTL and being redundant. Can't rely on my VPS for DNS in case it goes down. If it would go down, about 60 PBX phone systems would also.

If I changed a DNS zone like adding an A record, I need to reset the DNSSEC at Namecheap (Important: have to re-sign the zone every time any record within it changed). Just need to flip DNSSEC "Off an On" at Namecheap. If I don't resign it, Newly added "A" record will not be shown as it is like "DNS cache poisoning". This made me scratch my head for quite some time until I flip the switch on DNSSEC and saw my newly created A records being advertise and DNSStuff.
 

Dan

Moderator
Hi Jean!

Sounds to me like you are using DNSSEC at namecheap but that they are hosting your DNS too.

It's very interesting that it needs to be re-signed after every zone edit. Do you need to update the public or private keys somewhere after making an edit and re-signing the zone?

Thanks!
 
Hi,

Yes they are hosting my DNS so it's easier for me to enable DNSSEC. Also, if one of my server goes down, I can point my 'A' record to another server under a minute and show a custom page or use my JetBackup Disaster recovery to quickly restore to a new server and switch A and NS record IP's fast at Namecheap (all my TTL's are set @ 60 sec) with the help of Google Flush Cache service.

For the DNSSEC, Namecheap will take care of all the required DS, RRSIG, DNSKEY, NSEC for me because I use Premium DNS services. No need to update public key or private keys. I've toggle the on and off switch for DNSSEC multiple time and it always work first try. Now if I would use my own DNS server.

The DNSSEC re-signed is to avoid DNS cache poisoning. It's just to confirm that all records are valid and not spoof. It is not automated at Namecheap. It requires me switching DNSSEC "off" and then back to "on" again.

It seems to be easier to use Premium DNS service at Namecheap than to change the resolv.conf, switch DNS to PowerDNS and then push and pull data so the registrant and registrar can validate the dns records.

I wish I could help you with using your own VPS to create DNSSEC but I went to easier way and just use namecheap.
 
  • Like
Reactions: Dan
Top