Have any of The Core bothered setting up DNSSEC for their domains?

I've been reading articles that range from "It's the future of DNS" to "Forget about it". Just wondering if anyone here had experience they could share. Before I invest the time and money I wondered if it was even worth my time for the average site. I could see the benefits if I was running the PayPal site, but I doubt the sites I'm running would be the type that require secure DNS.

Unfortunately, same experience here. Research. Get confused. Decide that if I'm not worried even about PCI compliance let alone state secrets, I'm going to wait

Yikes! This is expensive. My registrar gave me an estimate on the upper end of 5 figures (USD) for a year of DNSSEC. Didn't realize it would be that much. That's going to be hard to justify.

So I finally looked into this a bit more after analyzing a few sites with Hardenize
https://www.hardenize.com/

Turns out this is not hard or expensive.

You can enable it for free via Cloudflare
First turn it on
https://www.cloudflare.com/dns/dnssec/

Then set it up on your registrar (in my case Namecheap)
https://support.cloudflare.com/hc/en-us/articles/209833347-How-to-add-a-DS-record-to-Namecheap

Or set it up on Namecheap for 40 cents per month

It comes with Namecheap Premium DNS, which is $4.88/year
https://www.namecheap.com/support/knowledgebase/article.aspx/9723/2232/managing-dnssec-for-domains-pointed-to-premium-or-basicdns
https://www.namecheap.com/security/premiumdns.aspx

Or set up your own BIND server for whatever the server costs ($5/month for the slave and master = $10/month).
https://www.digitalocean.com/community/tutorials/how-to-setup-dnssec-on-an-authoritative-bind-dns-server--2

In my case, I'm on the Cloudflare + Namecheap option. When I run it through a tester,
https://dnssec-analyzer.verisignlabs.com

I get this (see attached image - all tests pass)

Interesting. This particular registrar doesn't provide DS records unless I move to a super expensive DNS tier. I may need to point to a 3rd party DNS provider...if that would even work. To the best of my knowledge to get a full DNSSEC stack you'd need registrar-level keys to sign the root, so that might not even be an option.

Quote from: bill on April 16, 2018, 10:54:51 PM
To the best of my knowledge to get a full DNSSEC stack you'd need registrar-level keys to sign the root, so that might not even be an option.

That is correct. Your registrar and your DNS provider must be able to exchange the hash, I suppose very roughly like a TLS handshake (or probably more like a DKIM verification actually).

So if you can't set the hash, specify the hash schema and algorithm etc at the registrar, there's no point in doing anything at the DNS level. In fact, I think that might just serve to make your site inaccessible, because the hash check would fail and security conscious browsers would block the site.