Ask HN: Do we need a better domain registrar?
Hi HN,
Recently I've been researching a lot about the DNS infrastructure, and frankly I'm quite disappointed by the services provided by the average domain registrar. Most of them seem to treat DNS as a 'byproduct' in order to sell other services and they only seem to compete on price. As a result, they spend minimal effort on security, protocol compliance and advanced features that DNS has to offer.
I'm talking about features such as:
- 2FA on the control panel
- Full support of all record types (CAA, DS, CDS, etc.)
- DNSSEC key material stored in a HSM
- Ability to manage your own DNSSEC keys (DS record support)
- Support for domain locking (EPP status codes)
- Domain transfers while keeping DNSSEC activated
- Audit logs
- DANE support
I want to change this by starting a domain registry and hosted authoritative DNS service for professionals, with a strong focus on security.However, the domain name market is saturated and very competitive (in price, volume), so the service would not be able to compete on price.
My question is: Is it just me or is there actually an opportunity for a 'better' DNS service?
10 comments
[ 4.2 ms ] story [ 47.8 ms ] threadYeah, there’s lots of room for a better domain registrar, but such a registrar should focus on doing a better job at registrar things instead of wasting time on DNS.
A big issue is that registrars will happily take down domains when a law firm reaches out to them, there’s simply zero interest in standing by their customers.
EDIT: I was too soon, didn't see you updated your post.
> A big issue is that registrars will happily take down domains when a law firm reaches out to them, there’s simply zero interest in standing by their customers.
That's what EPP status codes are for, if implemented correct, the registrar can't even change the domain ownership even if they want or are forced to.
> almost none of the largest, best-funded security teams in the world bother DNSSEC-signing
Do you have any sources to back your claim about this? I'm having a hard time believing that the best-funded security teams prefer weak authentication over no authentication.
It's 2018. You think maybe they're just late to the party? No: they've decided not to do it, the same way the browser teams decided not to support DNSSEC in their libraries or UX.
You can split it anyways, search for your favourite DNS provider and for your favourite domain registrar. There is no need to have both at your domain registrar.
DNSSEC has complicated that a bit. Since you need to have your registrar send the value for the DS key to the tld registry. In theory you could set a CDS record and be done with it, but as always, most registrars don't bother in supporting it.