
Ask HN: Do we need a better domain registrar? - LeonM
Hi HN,<p>Recently I&#x27;ve been researching a lot about the DNS infrastructure, and frankly I&#x27;m quite disappointed by the services provided by the average domain registrar. Most of them seem to treat DNS as a &#x27;byproduct&#x27; in order to sell other services and they only seem to compete on price. As a result, they spend minimal effort on security, protocol compliance and advanced features that DNS has to offer.<p>I&#x27;m talking about features such as:<p><pre><code>  - 2FA on the control panel

  - Full support of all record types (CAA, DS, CDS, etc.)

  - DNSSEC key material stored in a HSM

  - Ability to manage your own DNSSEC keys (DS record support)

  - Support for domain locking (EPP status codes)

  - Domain transfers while keeping DNSSEC activated

  - Audit logs

  - DANE support
</code></pre>
I want to change this by starting a domain registry and hosted authoritative DNS service for professionals, with a strong focus on security.<p>However, the domain name market is saturated and very competitive (in price, volume), so the service would not be able to compete on price.<p>My question is: Is it just me or is there actually an opportunity for a &#x27;better&#x27; DNS service?
======
tptacek
There is a reason that almost none of the largest, best-funded security teams
in the world bother DNSSEC-signing; it's because DNSSEC has, at best, marginal
security value. It's a failing protocol. I don't know that building a business
around it is a great plan.

~~~
LeonM
DNSSEC is a compromise because of backward compatibility, but the alternative
is not signing at all.

> almost none of the largest, best-funded security teams in the world bother
> DNSSEC-signing

Do you have any sources to back your claim about this? I'm having a hard time
believing that the best-funded security teams prefer weak authentication over
no authentication.

~~~
tptacek
Sure. Go to the Verizon DNSSEC Analyzer site and type in the domains of giant
banks, like BankOfAmerica.com and Chase.com. Those are companies with security
teams consisting of hundreds of people, and "authentication" is something they
spend fuckloads of money on. None of them are DNSSEC-signed.

It's 2018. You think maybe they're just late to the party? No: they've decided
not to do it, the same way the browser teams decided not to support DNSSEC in
their libraries or UX.

------
nik736
DNS is a byproduct because 99,99% of the people don't want to pay for it. This
is why domain registrars are not bothering that much about it, they don't earn
money with it.

You can split it anyways, search for your favourite DNS provider and for your
favourite domain registrar. There is no need to have both at your domain
registrar.

~~~
LeonM
> You can split it anyways, search for your favourite DNS provider and for
> your favourite domain registrar. There is no need to have both at your
> domain registrar.

DNSSEC has complicated that a bit. Since you need to have your registrar send
the value for the DS key to the tld registry. In theory you could set a CDS
record and be done with it, but as always, most registrars don't bother in
supporting it.

------
ryanlol
DNSSEC stuff is terribly boring.

Yeah, there’s lots of room for a better domain registrar, but such a registrar
should focus on doing a better job at registrar things instead of wasting time
on DNS.

A big issue is that registrars will happily take down domains when a law firm
reaches out to them, there’s simply zero interest in standing by their
customers.

~~~
LeonM
What would a registry need to do better when it comes to registering things?
Any examples you can share?

EDIT: I was too soon, didn't see you updated your post.

> A big issue is that registrars will happily take down domains when a law
> firm reaches out to them, there’s simply zero interest in standing by their
> customers.

That's what EPP status codes are for, if implemented correct, the registrar
can't even change the domain ownership even if they want or are forced to.

------
hopesthoughts
Yeah, one that simply acts as a neutral registrar, and nothing else. In other
words, doesn't try to take down domains that it thinks are offensive, and
doesn't cave to public (mostly Twitter) pressure.

------
stephenr
This is why I moved my domains to NameSilo. All they do is domains, and they
specifically focus on providing a better service, rather than just relying on
hosting/email customers needing a .com.

------
Rjevski
DNSimple for me is this “better” DNS service. As far as I know it does all the
things on your list. It’s expensive, but worth it for me. You may want to
check it out!

