Update: Microsoft will be moving away from UserVoice sites on a product-by-product basis throughout the 2021 calendar year. We will leverage 1st party solutions for customer feedback. Learn more here.

How can we improve Azure Networking?

← Networking

Azure DNS needs DNSSEC support

DNSSEC is required to be able to secure your DNS requests. At the moment this is not available. We cannot move until our domains to Azure DNS untill these requirements have been met.

5,883 votes
Vote

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close
You have left! (?) (thinking…)
Anonymous shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

260 comments

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • Olov Karlsson commented  ·   ·  Flag as inappropriate

    We are investigating the possibility to move our entire hosting business to Azure. DNSSEC is a requirement for many of our bigger customers and we have signed all our customers zones for several years. In my point of view: Support for DNSSEC is much more crucial than support for IPv6 and you have had support for IPv6 in more than a year...

  • S Sarma (MSFT) commented  ·   ·  Flag as inappropriate

    As mentioned previously DNSSEC support is one of our top priorities but represents a large engineering investment. As such our current timeline for supporting this in Azure DNS is by mid-2018 (CY). We appreciate your votes and feedback.

  • Dominik B commented  ·   ·  Flag as inappropriate

    We are currently beta testing DNSSEC von Google CloudDNS and would like to see feature parity on AzureDNS.

  • Anonymous commented  ·   ·  Flag as inappropriate

    Microsoft, you need to make this engineering investment and make DNSSEC a priority. With 591 votes (at time of writing) and no admin comment for over 7 months we need a status update and a commitment on when this capability will be available.

  • Anonymous commented  ·   ·  Flag as inappropriate

    Auditors are pushing us to use DNSSEC I'm going to have to move us off of Azure for lack of this feature. Please make this a priority.

  • Lars B commented  ·   ·  Flag as inappropriate

    You guys should really add this, would really sweeten the deal for many businesses when EU Directive 95/46/EC takes effect in 2018.

  • Sjoerd commented  ·   ·  Flag as inappropriate

    Azure needs DNS support, the dutch "Forum Standaardisatie" is defining DNSSEC as a standard for al government organisations. They need to apply this, of explain why they can. Having a provider that can't is not sufficient enough. would be great to have DNSSEC availability on a short term.

  • Chris Mankowski commented  ·   ·  Flag as inappropriate

    I'm here because I read that In order for Azure to support "naked domains" DNS must be hosted with MSFT. However, since DNSSec isn't implemented, I'm sticking with Dyn

  • Tony commented  ·   ·  Flag as inappropriate

    Same for the organization I work with. We wanted to move everything over, but sadly, the switch would leave us without DNSSEC, which is something we cannot do.

  • Ashley Steel commented  ·   ·  Flag as inappropriate

    Critically needed; we no longer wish to use DYN and almost all our other services are with Azure, so we would prefer 'single pane of glass' in Azure for our DNS, too.

  • Sean Decker commented  ·   ·  Flag as inappropriate

    Very simply how can we use your service and adhere to FedRamp DISA control SC-21 - SECURE NAME / ADDRESS RESOLUTION SERVICE (RECURSIVE OR CACHING RESOLVER)
    Each client of name resolution services either performs this validation on its own, or has authenticated channels to trusted validation providers. Information systems that provide name and address resolution services for local clients include, for example, recursive resolving or caching domain name system (DNS) servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations. Information systems that use technologies other than the DNS to map between host/service names and network addresses provide other means to enable clients to verify the authenticity and integrity of response data.

    https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=SC-21

  • Anonymous commented  ·   ·  Flag as inappropriate

    As a digital bank we need DNSSEC in place to be trustworthy to both customers and partners. Azure DNS does not support DNSSEC or DNS CAA-records today which both are issues for us.

  • Jeffry A. Spain commented  ·   ·  Flag as inappropriate

    An easy way to implement this at first would be to implement inbound zone transfers from a BIND 9 hidden master on which DNSSEC was configured, with Azure DNS acting as a set of ***** authoritative servers. Azure DNS ***** zones are already on your backlog: https://feedback.azure.com/forums/217313-networking/suggestions/12925503-extend-azure-dns-to-support-zone-transfers-so-it-c.

  • Kaj commented  ·   ·  Flag as inappropriate

    Large service providers (Comcast) have dnssec enabled by default on their resolvers. The use case is basically to be able to trust the DNS fully. That means one can add records like SSHFP and TLSA in addition to being able to verify correct delegation of domain.

    Having Azure DNS authoritative name servers support DNSSEC (+ ability for a shadow primary name server) would be awesome.

    Easiest would be for one to have unsigned zone on premises and Azure DNS to transparently sign whatever was zone transferred. Easiest from customer POV.

  • Anonymous commented  ·   ·  Flag as inappropriate

    DNSSEC is mandatory for Dutch governments. The Dutch Standardisation Forum included DNSSEC in the comply-or-explain list in 2012. It is expected that DANE for securing mail transport (RFC7672) will be added to the comply-or-explain list soon. In addition to that , the German government recently also choose for DNSSEC and DANE.

    In the Netherlands about 45% of .nl domains is signed with DNSSEC and we see Dutch and German mail providers move to DANE. We are interested in the roadmap of Microsoft with regard to DNSSEC and DANE.

    Background information:
    - Comply-or-explain list: https://forumstandaardisatie.nl/ptolu
    - Expert recommendation on DNSSEC: https://www.forumstandaardisatie.nl/fileadmin/os/documenten/Expert_recommendation_dnssec_2013.pdf
    - BSI TR-03108 Sicherer E-Mail-Transport: https://www.bsi.bund.de/DE/Publikationen/TechnischeRichtlinien/tr03108/index_htm.html

  • Anonymous commented  ·   ·  Flag as inappropriate

    #1 case,
    We have experienced issues regarding our DKIM signing. Our email was spoofed because the receiving party was infected. They than signed the email with there own DKIM keys and our email was incorrectly all flagged as spam. This is because they were able to manipulate our DNS systems.

    #2 case,
    Manipulation of the DNS website records. Website records that were hijacked. This increases the risk for our customers.

    #3 case,
    for banking purposes we absolutely require the use of DNSSEC. It is a requirement from our regulator.

1 2 9 10 11 13 Next →

Networking: DNS

Categories

Feedback and Knowledge Base

(thinking…)
Hosted by UserVoice