[Systems] Gandi support status for AAAA and DNSSEC (was Re: Fwd: Gandi donates large amount of account credit to Conservancy for VPS's, domain registration, and SSL certificates)

[Bernie Innocenti]

On Thu, 2012-08-02 at 11:46 -0400, Bradley M. Kuhn wrote:
> Bernie Innocenti wrote at 14:08 (EDT) on Wednesday:
> > I transferred the SL domains from Gandi to name.com a few years ago
> > because Gandi did not support setting DS records in the .org tld (for
> > DNSSEC support), nor AAAA glue records (for full IPv6 support).
> 
> AAAA records appear to be available from the default Gandi control panel
> for Gandi-hosted DNS.

I meant the "AAAA glue records" that the registrar needs to store into
the .org TLD to break the circular dependency between a domain and its
nameservers:

http://en.wikipedia.org/wiki/Domain_Name_System#Circular_dependencies_and_glue_records


> Sadly, Gandi still says in the panel:
> >>> It is not currently possible to use DNSSEC with Gandi's DNS servers.
> 
> So, they support it only as a secondary DNS server.  They have no way to
> host it themselves:
>   http://www.gandibar.net/post/2012/03/02/DNSSEC-at-Gandi
> 
> However, it seems this would work for you, no?  It seems sugarlabs.org
> uses its own DNS servers:
> 
> Name Server:NS1.CODEWIZ.ORG
> Name Server:NS1.SUGARLABS.ORG
> Name Server:NS2.SUGARLABS.NET

We do maintain our own DNSSEC keys and sign the zones ourselves.

However, there's still one bit of work that must be done by the
registrar: store our "Delegation Signer" record into the .org zone to
enable external sites verify our signature recursively:

  http://tools.ietf.org/html/rfc4034

-- 
Bernie Innocenti
Sugar Labs Infrastructure Team
http://wiki.sugarlabs.org/go/Infrastructure_Team