The Hurricane Electric logo situated above the eye of a hurricane shown in the background.

Hurricane Electric secondary DNS adds support for TSIG authentication

I published a disappointing comparison of secondary authoritative DNS service providers last month. There wasn’t any clear winners as even the most expensive services lacked proper domain zone transfer (AXFR) authentication (TSIG). However, one of the providers have stepped up their game and have added TSIG support.

I had to email most of the service providers that were included in my comparison as documentation across the board was quite poor. Without going into too much detail, there seems to be a direct coloration between the cost of a service and the quality of their support answers. Though not the way you might expect! The services with a free tier replied quickly and answered my questions in the first message. The most expensive services were confused by my reference to RFC standard numbers or simply didn’t respond.

Hurricane Electric’s (HE.net) free DNS services stood out, though. Over the course of a few weeks they’d not only replied to my support request where I asked for details about Secret Key Transaction Authentication for DNS (TSIG) support, but they’d also implemented TSIG support and rolled it out to all of their customers.

Unauthenticated AXFR leaves your DNS server open for misuse for traffic amplification attacks as a single AXFR request can return the entire domain zone. TSIG authentication helps prevent misuse and unintended information from your DNS infrastructure. Many secondary DNS providers rely on an outdated practice of IP address whitelisting instead of doing proper AXFR request authentication.

HE.net’s DNS services are offered free of charge, and is in many ways better than many of the quite expensive services I considered in my comparison. (The comparison table have been updated.) You don’t get a service level agreement (SLA) or any uptime guarantees. However, what you do get is a cost-free secondary (or tertiary) authoritative DNS service with full IPv6 support in two dozen global anycast points-of-presence locations.

If you’ve been on the fence about rolling out a secondary (or tertiary) DNS provider for your domains then you should consider giving Hurricane Electric a few minutes of your time. (That is all it will take!)

HE.net’s secondary DNS service isn’t without its faults. They’re aggressively rate-limiting zone change notification (NOTIFY) requests. If you’re only making occasional changes the NOTIFY requests are acted upon within a few seconds, but they’re ignored entirely if you’re making changes as often as every hour. You can lower your zone’s time-to-live to work around this limitation but at the cost of reduced zone caching efficiency.

The HE.net DNS administration panel shows a warning notice about possible zone compatibility issues with unspecified DNSSEC-related record types when you add a new secondary zone. As far as I — and automated online DNSSEC validation tools — can tell, the service doesn’t have ay problems with the DNSKEY and RRSIG record types. HE.net doesn’t specific any more details about what the incompatibility problems might be so you’ll have to test your zone thoroughly.