Azure DNS needs DNSSEC support
DNSSEC is required to be able to secure your DNS requests. At the moment this is not available. We cannot move until our domains to Azure DNS untill these requirements have been met.
DNSSEC remains on our long term roadmap, however it is unlikely to be available in CY 2019. If DNSSEC is a critical and immediate requirement for your business we’d suggest that you consider evaluating 3rd party DNS hosting solutions that provide this feature.
Olov Karlsson commented
We are investigating the possibility to move our entire hosting business to Azure. DNSSEC is a requirement for many of our bigger customers and we have signed all our customers zones for several years. In my point of view: Support for DNSSEC is much more crucial than support for IPv6 and you have had support for IPv6 in more than a year...
S Sarma (MSFT) commented
As mentioned previously DNSSEC support is one of our top priorities but represents a large engineering investment. As such our current timeline for supporting this in Azure DNS is by mid-2018 (CY). We appreciate your votes and feedback.
Dominik B commented
We are currently beta testing DNSSEC von Google CloudDNS and would like to see feature parity on AzureDNS.
Microsoft, you need to make this engineering investment and make DNSSEC a priority. With 591 votes (at time of writing) and no admin comment for over 7 months we need a status update and a commitment on when this capability will be available.
+ 1 This is a critical feature that is preventing migration to Azure at this time.
Andy Schwartzmeyer commented
+1 We really need DNSSEC.
Auditors are pushing us to use DNSSEC I'm going to have to move us off of Azure for lack of this feature. Please make this a priority.
André Gresmo Johansen commented
+1 for DNSSEC support.
Also CAA record support (this one should be easy).
Lars B commented
You guys should really add this, would really sweeten the deal for many businesses when EU Directive 95/46/EC takes effect in 2018.
Azure needs DNS support, the dutch "Forum Standaardisatie" is defining DNSSEC as a standard for al government organisations. They need to apply this, of explain why they can. Having a provider that can't is not sufficient enough. would be great to have DNSSEC availability on a short term.
Chris Mankowski commented
I'm here because I read that In order for Azure to support "naked domains" DNS must be hosted with MSFT. However, since DNSSec isn't implemented, I'm sticking with Dyn
Same for the organization I work with. We wanted to move everything over, but sadly, the switch would leave us without DNSSEC, which is something we cannot do.
Ashley Steel commented
Critically needed; we no longer wish to use DYN and almost all our other services are with Azure, so we would prefer 'single pane of glass' in Azure for our DNS, too.
Sean Decker commented
Very simply how can we use your service and adhere to FedRamp DISA control SC-21 - SECURE NAME / ADDRESS RESOLUTION SERVICE (RECURSIVE OR CACHING RESOLVER)
Each client of name resolution services either performs this validation on its own, or has authenticated channels to trusted validation providers. Information systems that provide name and address resolution services for local clients include, for example, recursive resolving or caching domain name system (DNS) servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations. Information systems that use technologies other than the DNS to map between host/service names and network addresses provide other means to enable clients to verify the authenticity and integrity of response data.
As a digital bank we need DNSSEC in place to be trustworthy to both customers and partners. Azure DNS does not support DNSSEC or DNS CAA-records today which both are issues for us.
Jeffry A. Spain commented
An easy way to implement this at first would be to implement inbound zone transfers from a BIND 9 hidden master on which DNSSEC was configured, with Azure DNS acting as a set of ***** authoritative servers. Azure DNS ***** zones are already on your backlog: https://feedback.azure.com/forums/217313-networking/suggestions/12925503-extend-azure-dns-to-support-zone-transfers-so-it-c.
Large service providers (Comcast) have dnssec enabled by default on their resolvers. The use case is basically to be able to trust the DNS fully. That means one can add records like SSHFP and TLSA in addition to being able to verify correct delegation of domain.
Having Azure DNS authoritative name servers support DNSSEC (+ ability for a shadow primary name server) would be awesome.
Easiest would be for one to have unsigned zone on premises and Azure DNS to transparently sign whatever was zone transferred. Easiest from customer POV.
DNSSEC is mandatory for Dutch governments. The Dutch Standardisation Forum included DNSSEC in the comply-or-explain list in 2012. It is expected that DANE for securing mail transport (RFC7672) will be added to the comply-or-explain list soon. In addition to that , the German government recently also choose for DNSSEC and DANE.
In the Netherlands about 45% of .nl domains is signed with DNSSEC and we see Dutch and German mail providers move to DANE. We are interested in the roadmap of Microsoft with regard to DNSSEC and DANE.
- Comply-or-explain list: https://forumstandaardisatie.nl/ptolu
- Expert recommendation on DNSSEC: https://www.forumstandaardisatie.nl/fileadmin/os/documenten/Expert_recommendation_dnssec_2013.pdf
- BSI TR-03108 Sicherer E-Mail-Transport: https://www.bsi.bund.de/DE/Publikationen/TechnischeRichtlinien/tr03108/index_htm.html
We have experienced issues regarding our DKIM signing. Our email was spoofed because the receiving party was infected. They than signed the email with there own DKIM keys and our email was incorrectly all flagged as spam. This is because they were able to manipulate our DNS systems.
Manipulation of the DNS website records. Website records that were hijacked. This increases the risk for our customers.
for banking purposes we absolutely require the use of DNSSEC. It is a requirement from our regulator.