
AWS Route 53 DNS Service Does Not Support DNSSEC - privateSFacct
Q. Does Amazon Route 53 support DNSSEC?<p>Amazon Route 53 does not support DNSSEC for DNS at this time.<p>FAQ Here: https:&#x2F;&#x2F;aws.amazon.com&#x2F;route53&#x2F;faqs&#x2F;<p>Can AWS still be used for services with stronger security needs or folks who want to support a secure web?
======
tptacek
How strange, you might say. What other big tech companies have failed to
implement this important standard?

Has Google, for GOOGLE.COM? No.

Apple? No.

Microsoft? Negatory, good buddy.

Oracle? Norp.

Netflix? Nopers.

Facebook? Nah.

Twitter? Nein!

Cisco? Nyet.

IBM? Nervenvarn!

Salesforce.com? Nay.

Stripe? Absolutely not.

Braintree? Perish the thought.

What about Github? What about no!

Bank of America? Bank of no DNSSEC.

Citigroup? Bullfinch! †

Surely Schwab. But, alas, no.

Goldman Sachs? Not on your life.

JPMC? Nah.

Aha, NASDAQ! No way.

DNSSEC is moribund. It's a failed standard with no support, and its position
_worsens_ with each passing month (it's taking hits from DoH, from RDAP, from
CT, from MTA-STS, from multi-perspective lookup, and also from serious
security operators not trusting the DNS to begin with). Not implementing this
pointless IETF boondoggle is one of the more forward-thinking decisions AWS
has made.

† _(A website assures me that this is in fact a synonym for "nope")._

------
QuinnyPig
There are serious questions as to whether DNSSEC is worth pursuing at this
time. Large banks haven't rolled it out. Tax authorities generally haven't
either. I think the post begs the question...

------
throwaway413
(Unrelated)

Is there a way to access whois records for Route53? I cannot for the life of
me find a way to query their domain records. If I lookup a domain registered
through Route53 using another whois lookup tool, it will point me to
`registrar.amazon.com` which just redirects to the Route53 landing page. I
have crawled through their entire sitemap looking for a search tool but have
yet to find one.

Anyone have any info on whois records with Route53? Thanks.

------
Bucephalus355
GCP is the only service that I know of that supports this.

That being said, AWS does allow you to put your name servers somewhere else,
say GCP, and then do DNSSEC there.

Really the main security concern with AWS is no browser in the terminal. This
feature, which both GCP and Azure have, really eliminates the ssh-key litter.

------
privateSFacct
Yep - also looks bad for DoS amplification.

What’s the better solution ?

------
Spooky23
Q: Why would they?

