[Systems] Gandi support status for AAAA and DNSSEC (was Re: Fwd: Gandi donates large amount of account credit to Conservancy for VPS's, domain registration, and SSL certificates)

Bernie Innocenti bernie at sugarlabs.org
Thu Aug 2 15:22:37 EDT 2012

On Thu, 2012-08-02 at 11:46 -0400, Bradley M. Kuhn wrote:
> Bernie Innocenti wrote at 14:08 (EDT) on Wednesday:
> > I transferred the SL domains from Gandi to name.com a few years ago
> > because Gandi did not support setting DS records in the .org tld (for
> > DNSSEC support), nor AAAA glue records (for full IPv6 support).
> AAAA records appear to be available from the default Gandi control panel
> for Gandi-hosted DNS.

I meant the "AAAA glue records" that the registrar needs to store into
the .org TLD to break the circular dependency between a domain and its


> Sadly, Gandi still says in the panel:
> >>> It is not currently possible to use DNSSEC with Gandi's DNS servers.
> So, they support it only as a secondary DNS server.  They have no way to
> host it themselves:
>   http://www.gandibar.net/post/2012/03/02/DNSSEC-at-Gandi
> However, it seems this would work for you, no?  It seems sugarlabs.org
> uses its own DNS servers:
> Name Server:NS1.CODEWIZ.ORG

We do maintain our own DNSSEC keys and sign the zones ourselves.

However, there's still one bit of work that must be done by the
registrar: store our "Delegation Signer" record into the .org zone to
enable external sites verify our signature recursively:


Bernie Innocenti
Sugar Labs Infrastructure Team

More information about the Systems mailing list