

Ask HN: Should I enable DNSSEC for my start-up? - Nizumzen

As the title really. Should I make the effort to enable DNSSEC for my start-up? At the moment I&#x27;m currently using Amazon Route 53 but could move to custom DNS servers if supporting DNSSEC is considered important enough.<p>My start-up is directed at very technical users (developers primarily) so I get the feeling that they will appreciate the extra security that DNSSEC provides but at the same time running my own DNS is an extra expense that might be better used for something else.<p>Another advantage of running my own DNS servers is that I can supply DNS services to clients as well which would be a nice little add-on for them.<p>What would you do?
======
donavanm
What compelling business need is there for DNSSEC? The only thing I can think
of are some of the compliancy rules for gov/corp work coming up in 2014 &
2015\. Unless DNSSEC makes you money youre wasting your time.

Secondly any comment that trivializes DNSSEC implementation has little real
world experience. Go read the DNS OARC archives. Major orgs, .gov, TLDs, etc,
_regularly_ break DNSSEC deployments. These are the domain experts who are
pushing Wider adoption. If they can't consistently execute why do you believe
you will be successful?

~~~
Nizumzen
I don't think I claimed that implementing DNSSEC was easy.

But I'll certainly take your advice about reading the archives to get some
perspective.

------
Arnt
Pro: It's not much trouble, DANE and other things will make it worthwhile, and
it's easier to do when you can still have a bit of downtime without pain.

Contra: There's always much to do in a startup. Deferring tasks is good, even
though they'll be more difficult later.

There are a few providers around who'll do most of the job for you. It's
called a "hidden primary", and easydns offers it, among others.

~~~
Nizumzen
Thanks for the comment. I'll look into EasyDNS and see what services they
provide.

I may well take your advice and just go with a normal DNS deployment and then
later on when I have more time make more of an effort to deploy DNSSEC.

