Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: Do we need a better domain registrar?
5 points by LeonM on Aug 7, 2018 | hide | past | favorite | 10 comments
Hi HN,

Recently I've been researching a lot about the DNS infrastructure, and frankly I'm quite disappointed by the services provided by the average domain registrar. Most of them seem to treat DNS as a 'byproduct' in order to sell other services and they only seem to compete on price. As a result, they spend minimal effort on security, protocol compliance and advanced features that DNS has to offer.

I'm talking about features such as:

  - 2FA on the control panel

  - Full support of all record types (CAA, DS, CDS, etc.)

  - DNSSEC key material stored in a HSM

  - Ability to manage your own DNSSEC keys (DS record support)

  - Support for domain locking (EPP status codes)

  - Domain transfers while keeping DNSSEC activated

  - Audit logs

  - DANE support
I want to change this by starting a domain registry and hosted authoritative DNS service for professionals, with a strong focus on security.

However, the domain name market is saturated and very competitive (in price, volume), so the service would not be able to compete on price.

My question is: Is it just me or is there actually an opportunity for a 'better' DNS service?




There is a reason that almost none of the largest, best-funded security teams in the world bother DNSSEC-signing; it's because DNSSEC has, at best, marginal security value. It's a failing protocol. I don't know that building a business around it is a great plan.


DNSSEC is a compromise because of backward compatibility, but the alternative is not signing at all.

> almost none of the largest, best-funded security teams in the world bother DNSSEC-signing

Do you have any sources to back your claim about this? I'm having a hard time believing that the best-funded security teams prefer weak authentication over no authentication.


Sure. Go to the Verizon DNSSEC Analyzer site and type in the domains of giant banks, like BankOfAmerica.com and Chase.com. Those are companies with security teams consisting of hundreds of people, and "authentication" is something they spend fuckloads of money on. None of them are DNSSEC-signed.

It's 2018. You think maybe they're just late to the party? No: they've decided not to do it, the same way the browser teams decided not to support DNSSEC in their libraries or UX.


DNS is a byproduct because 99,99% of the people don't want to pay for it. This is why domain registrars are not bothering that much about it, they don't earn money with it.

You can split it anyways, search for your favourite DNS provider and for your favourite domain registrar. There is no need to have both at your domain registrar.


> You can split it anyways, search for your favourite DNS provider and for your favourite domain registrar. There is no need to have both at your domain registrar.

DNSSEC has complicated that a bit. Since you need to have your registrar send the value for the DS key to the tld registry. In theory you could set a CDS record and be done with it, but as always, most registrars don't bother in supporting it.


DNSSEC stuff is terribly boring.

Yeah, there’s lots of room for a better domain registrar, but such a registrar should focus on doing a better job at registrar things instead of wasting time on DNS.

A big issue is that registrars will happily take down domains when a law firm reaches out to them, there’s simply zero interest in standing by their customers.


What would a registry need to do better when it comes to registering things? Any examples you can share?

EDIT: I was too soon, didn't see you updated your post.

> A big issue is that registrars will happily take down domains when a law firm reaches out to them, there’s simply zero interest in standing by their customers.

That's what EPP status codes are for, if implemented correct, the registrar can't even change the domain ownership even if they want or are forced to.


Yeah, one that simply acts as a neutral registrar, and nothing else. In other words, doesn't try to take down domains that it thinks are offensive, and doesn't cave to public (mostly Twitter) pressure.


This is why I moved my domains to NameSilo. All they do is domains, and they specifically focus on providing a better service, rather than just relying on hosting/email customers needing a .com.


DNSimple for me is this “better” DNS service. As far as I know it does all the things on your list. It’s expensive, but worth it for me. You may want to check it out!




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: