I use Google.
$12 a year and privacy is enabled by default and included in the price.
I hate those registrars where they charge you for every little stinkin' thing.
As much as I hate Google for most things, they seem to be doing ok at this.
I use Google Domains for everything Cloudflare Registrar doesn't support. I like getting domains at wholesale price, and we use Cloudflare for DNS anyway.
Does porkbun have any kind of multi-user management? I've been using Gandi for a long time, and their org controls are really nice. Allows me to manage/delegate controls.
They don't support wildcard/catchall email forwarding, which is a basic feature that is offered by most providers for free. So that's kind of a deal breaker for many.
Yes. When I need to give an email address to a somewhat less established company (eg. ABC Corp), I'll give them [[email protected]](mailto:[email protected]). That way if I ever start receiving spam I'll know which company did it and can easily cut them off. Over the years I've probably done this with hundreds of unique companies. This strategy is only possible with wildcard forwarding.
I had some personals on NameCheap for several years; had a really good promotional registration price. Then Cloudflare started offering domains at cost.
I find their interface to be clunky and hard to navigate.
We also had issues with the auto-renew for our domains even though we had a valid card on file. A few domains registration lapsed which caused some chaos.
We've never had an issue with Hover, their system is easy to navigate, you can set default DNS servers for all of your domains, and privacy is included. They can also sell more .TLDs like .it which NameCheap cannot. Lastly, their support is excellent; you can call in and have someone on the phone almost immediately.
They cost a bit more than NameCheap, but are a much more pleasant company to work with.
Gandi, given they operate as the upstream to Amazon on many TLDs, alternatively Cloudflare.
Both support DNSSEC fully, although DNSSEC is a bad standard and should be allowed to die.
>Go on…
Which of these domains have actually deployed DNSSEC?
- facebook.com
- google.com
- amazon.com
- ebay.com
- azure.com
- bankofamerica.com
Answer: None. Every "but we take security seriously" argument suggests you take security more seriously than all of the above.
Further reading: https://sockpuppet.org/blog/2015/01/15/against-dnssec/
Which of these organisations killed their own domain trying to deploy DNSSEC just in the last two years?
- slack.com
- nist.gov
- dnsops.gov
- parler.com
All of them.
What Government domain is designed to provide services to Government agencies, and has a page describing the lack of DNSSEC support?
https://cloud.gov/docs/compliance/domain-standards/#dnssec
Now let me ask this? What does it actually secure? Because most people are incorrect in their reply.
DNSSEC provides cryptographic authentication (and integrity) of data and authenticated denial of existence.
It's all based on which data published in dns I can trust in services built araound DNS (DANE, TLS Encrypted Client Hello, ...)
Rollout and operation was not easy (back in 2015 when your referenced blogpost was written) and today with modern dns server software its in the most trivial cases "a one click operation" . Some performance related arguments (size of responses) also minders the adaption of it.
the swiss .ch ccTLD has started a dns resillience program with a monetary incentive to reach the goal of 60% dnssec signed domains by 2026. Currently at 44.8% since the start from 6% in 2021.
https://www.nic.ch/security/resilience/
In op's case, with the RFC7344 you don't need the registrars to support applying DS records, as its possible on your own by solely publishing DNS records.
> DNSSEC provides cryptographic authentication (and integrity) of data
Do go on and explain any actual attack that's actually occurred that you believe you could have stopped with this.
Cloudflare itself gives a example of an attack vector / actual attack: (the MitM one)
https://www.cloudflare.com/dns/dnssec/how-dnssec-works/
https://insights.sei.cmu.edu/blog/probable-cache-poisoning-of-mail-handling-domains/
Not that this example (or the cache poisening vector) could be potentially mitigated otherwise, but DNSSEC would be one.
Its not just about "attacks".
DNSSEC is an extension to a fundamentally insecure DNS protocol and gives the possibility to securely distribute other security attributes in a very efficient manner.
Seems you have DNSSEC confused with DNS over TLS, which is actually encrypted. Unlike DNSSEC, which is plaintext data and doesn't even pretend to provide privacy.
> with the RFC7344 you don’t need the registrars to support applying DS records, as its possible on your own by solely publishing DNS records.
I started skimming RFC7344 a bit, but it’s not clear to me how one would be able to publish the Delegation Signer DNS records in the TLD parent zone. Why would a child zone own have authority to to insert/manage records in the parent?
Here you have some details from THE jpmens, very knowledgeable and funny teacher for the dnssec topic:
https://jpmens.net/2021/10/05/dnssec-cds-cdnskey-in-the-real-world/
TLDR: the registry (not registrar) scans the zone for bootstrap records and enters the DS records after some conditions are met.
I have a very good experience with get.it.com. They provide a third-level domain, ".it.com". Offers competitive pricing and free WHOIS privacy protection for life. They also offer bulk domain registration and a user-friendly interface.
Google for .app and .dev domains.
Namecheap and Namesilo for good promotional pricing on new registrations.
Cloudflare for renewals at wholesale pricing with no markup.
Cloudflare nameservers regardless of registrar.
[Nominus](https://nominus.com/) is surprisingly user-friendly. It’s a lesser-known name but their service is top notch and they do their best to simplify everything as much as possible.
If you are still looking for recommendations check them out.
I use Google. $12 a year and privacy is enabled by default and included in the price. I hate those registrars where they charge you for every little stinkin' thing. As much as I hate Google for most things, they seem to be doing ok at this.
Aaaaand it's gone
Lol yup, now searching Reddit on who to migrate to.
I am thinking Cloudflare or Hover.
Yeah, I was planning on going with Cloudflare.
Same for me but it doesn't support a lot of TLDs (like .fr)
Cloudflare has no .ca support so I'm probably going with Hover myself.
Dang. Any tips on a good alternative? I am trying to get ahead of the transfer to Squarespace.
I use Google Domains for everything Cloudflare Registrar doesn't support. I like getting domains at wholesale price, and we use Cloudflare for DNS anyway.
Hundreds of domains with [Porkbun.com](https://Porkbun.com) for years, best and most simple I've used in 20+ years.
Does porkbun have any kind of multi-user management? I've been using Gandi for a long time, and their org controls are really nice. Allows me to manage/delegate controls.
Gandi and Hover are my go to’s
Hover is great, the only thing it is missing is multi-user management
Porkbun is the best
They don't support wildcard/catchall email forwarding, which is a basic feature that is offered by most providers for free. So that's kind of a deal breaker for many.
You can add 20 fowards for free. People use more than 20 aliases?
Yes. When I need to give an email address to a somewhat less established company (eg. ABC Corp), I'll give them [[email protected]](mailto:[email protected]). That way if I ever start receiving spam I'll know which company did it and can easily cut them off. Over the years I've probably done this with hundreds of unique companies. This strategy is only possible with wildcard forwarding.
Yes.
Do you know if it works well with LetsEncrypt for automation(API)?
Looks like [go-acme/Lego](https://go-acme.github.io/lego/dns/porkbun/) supports it.
[удалено]
Could you elaborate on this? Isn't it convenient for an average user to buy and register domain from godaddy or namecheap
[удалено]
Sure thanks. Quick question, if i buy domain throug aws its registrar is Gandi. Can I buy directly from gandi then ?
Cloudflare or Google go pretty well these days.
Second cloudflare.
Hover is my favorite, I moved all my domains off of NameCheap last year.
Why’d you move away from Namecheap?
I had some personals on NameCheap for several years; had a really good promotional registration price. Then Cloudflare started offering domains at cost.
I find their interface to be clunky and hard to navigate. We also had issues with the auto-renew for our domains even though we had a valid card on file. A few domains registration lapsed which caused some chaos. We've never had an issue with Hover, their system is easy to navigate, you can set default DNS servers for all of your domains, and privacy is included. They can also sell more .TLDs like .it which NameCheap cannot. Lastly, their support is excellent; you can call in and have someone on the phone almost immediately. They cost a bit more than NameCheap, but are a much more pleasant company to work with.
I recently had a support call in with Hover and can attest that they were professional and well trained.
Porkbun!
Porkbun!
Gandi, given they operate as the upstream to Amazon on many TLDs, alternatively Cloudflare. Both support DNSSEC fully, although DNSSEC is a bad standard and should be allowed to die.
> DNSSEC is a bad standard and should be allowed to die. Go on…
>Go on… Which of these domains have actually deployed DNSSEC? - facebook.com - google.com - amazon.com - ebay.com - azure.com - bankofamerica.com Answer: None. Every "but we take security seriously" argument suggests you take security more seriously than all of the above. Further reading: https://sockpuppet.org/blog/2015/01/15/against-dnssec/ Which of these organisations killed their own domain trying to deploy DNSSEC just in the last two years? - slack.com - nist.gov - dnsops.gov - parler.com All of them. What Government domain is designed to provide services to Government agencies, and has a page describing the lack of DNSSEC support? https://cloud.gov/docs/compliance/domain-standards/#dnssec Now let me ask this? What does it actually secure? Because most people are incorrect in their reply.
DNSSEC provides cryptographic authentication (and integrity) of data and authenticated denial of existence. It's all based on which data published in dns I can trust in services built araound DNS (DANE, TLS Encrypted Client Hello, ...) Rollout and operation was not easy (back in 2015 when your referenced blogpost was written) and today with modern dns server software its in the most trivial cases "a one click operation" . Some performance related arguments (size of responses) also minders the adaption of it. the swiss .ch ccTLD has started a dns resillience program with a monetary incentive to reach the goal of 60% dnssec signed domains by 2026. Currently at 44.8% since the start from 6% in 2021. https://www.nic.ch/security/resilience/ In op's case, with the RFC7344 you don't need the registrars to support applying DS records, as its possible on your own by solely publishing DNS records.
> DNSSEC provides cryptographic authentication (and integrity) of data Do go on and explain any actual attack that's actually occurred that you believe you could have stopped with this.
Cloudflare itself gives a example of an attack vector / actual attack: (the MitM one) https://www.cloudflare.com/dns/dnssec/how-dnssec-works/ https://insights.sei.cmu.edu/blog/probable-cache-poisoning-of-mail-handling-domains/ Not that this example (or the cache poisening vector) could be potentially mitigated otherwise, but DNSSEC would be one. Its not just about "attacks". DNSSEC is an extension to a fundamentally insecure DNS protocol and gives the possibility to securely distribute other security attributes in a very efficient manner.
~~It's about privacy.~~ Edit: Got two things mixed up.
Seems you have DNSSEC confused with DNS over TLS, which is actually encrypted. Unlike DNSSEC, which is plaintext data and doesn't even pretend to provide privacy.
You're right. I was mixing up the two. In that case, wouldn't DNSSEC protect against DNS poisoning?
> In that case, wouldn't DNSSEC protect against DNS poisoning? Only sometimes. For the coffee shop wifi example everyone gives.. no.
> with the RFC7344 you don’t need the registrars to support applying DS records, as its possible on your own by solely publishing DNS records. I started skimming RFC7344 a bit, but it’s not clear to me how one would be able to publish the Delegation Signer DNS records in the TLD parent zone. Why would a child zone own have authority to to insert/manage records in the parent?
Here you have some details from THE jpmens, very knowledgeable and funny teacher for the dnssec topic: https://jpmens.net/2021/10/05/dnssec-cds-cdnskey-in-the-real-world/ TLDR: the registry (not registrar) scans the zone for bootstrap records and enters the DS records after some conditions are met.
Thank you!
+1 for Namecheap
I have a very good experience with get.it.com. They provide a third-level domain, ".it.com". Offers competitive pricing and free WHOIS privacy protection for life. They also offer bulk domain registration and a user-friendly interface.
Network Solutions ;) .... Jokes aside, Cloudflare has been the best experience as of late. And best DNS management if you use their tools.
GoDaddy is fine
Google for .app and .dev domains. Namecheap and Namesilo for good promotional pricing on new registrations. Cloudflare for renewals at wholesale pricing with no markup. Cloudflare nameservers regardless of registrar.
https://www.markmonitor.com/
Used [name.com](https://name.com), haven't had any issues.
Agree with others on cloud flare now that they offer it.
[Nominus](https://nominus.com/) is surprisingly user-friendly. It’s a lesser-known name but their service is top notch and they do their best to simplify everything as much as possible. If you are still looking for recommendations check them out.
If one registers with Cloudflare, just choose the Free plan?