DNSSEC

DNSSEC offers cryptographically verified responses to DNS queries. It is not terribly widely adopted, possibly because of the necessity for periodic “resigning” of data by cryptographic means. These signatures must be conveyed to all the authoritative DNS servers which might respond to a DNS inquiry. Best practices suggest that any site should have more than one DNS server situated in electronically diverse locations.

My domain was purchased through Google Domains, and as part of that purchase, I received a free DNS service associated with my account. Google offers another domain name service, which is not free, but which also has an API which could be used to advantage. The fee, while not exorbitant, is more than I am willing to pay. If you use the alternative DNS service, you can skip the rest of this article.

Google's free service does offer DNSSEC which is easily configured, and Google takes care of such things as periodic “resigning”, as well as electronic diversity of location. I decided that service was just too useful to pass up, and I configured an external view of my network (ie external IP addresses) on the easy to use control panel.

There were a couple of disadvantages for the free Google Domains DNS. There is only a very minimal API, which is useless for my purposes. The other disadvantage is that it provides only an “external view” of my network, and therefore is not useful for my internal DNS requirements.