Cert Authorities Check for DNSSEC from Today

📝 Discussion Summary (Click to expand)

1. DNSSEC is effectively dead‑beat in practice
- “DNSSEC penetration in the top 1000 is single digits % … I’ve seen just three Tranco Top 1000 domains change their DNSSEC state” – tptacek
- “DNSSEC is moribund.” – tptacek
- “DNSSEC mistakes take your entire domain off the Internet, as if it had never existed.” – tptacek

2. The industry has only just begun to enforce DNSSEC, and the incentive is weak
- “No CA requires DNSSEC.” – tptacek
- “CAs are now required to honor DNSSEC, where they weren’t before.” – tptacek
- “CAs want to sell you certificates, browsers compete on their support for those certificates.” – throwway120385

3. The security benefits are outweighed by operational risk and downtime
- “DNSSEC adds an expiring, rotating key change regime … If you screw it up, the screwup is cached everywhere.” – tptacek
- “DNSSEC is a key‑escrow system.” – tptacek
- “DNSSEC is a key‑escrow system” (repeatedly cited as a major drawback) – tptacek

These three themes—low adoption, weak enforcement, and high operational cost—drive the debate over whether DNSSEC should be pushed forward or abandoned.

🚀 Project Ideas

[DNSSEC Adoption Monitor]

Summary

Real‑time dashboard that tracks DNSSEC enablement across the most‑visited domains.
Sends alerts when a domain’s DNSSEC state changes or when it drops below a health threshold. - Provides historical trend graphs and “readiness scores” to help owners prioritize fixes.

Details

Key	Value
Target Audience	Domain owners, security teams, registrars, DNS hosting providers
Core Feature	Live DNSSEC health map with change notifications and trend analytics
Tech Stack	Python/FASTAPI backend, React + Chart.js front‑end, PostgreSQL, dnssec‑tools, Cloudflare Workers for DNS queries
Difficulty	Medium
Monetization	Revenue-ready: Tiered subscription (Free for ≤10 k domains, Pro $49 /mo, Enterprise custom)

Notes

HN users consistently lament the low DNSSEC adoption rates; an automated, visual monitor directly addresses that pain point.
The service could be integrated with registrar APIs, making it easy for owners to act on alerts without manual checks.

[DNSSEC‑Enabled ACME Client]

Summary- A drop‑in replacement for Certbot that automatically creates, validates, and renews DNSSEC‑signed DNS records during ACME DNS‑01 challenges.

Eliminates the “manual DNSSEC setup” friction that stops many from using DNSSEC with Let’s Encrypt.

Details

Key	Value
Target Audience	DevOps engineers, site operators using Let’s Encrypt or other ACME‑based CAs
Core Feature	Seamless DNSSEC record creation/validation as part of the DNS‑01 challenge flow
Tech Stack	Go, acme‑sharp library, provider‑agnostic DNS SDK (Route53, Cloudflare, etc.), SQLite for state
Difficulty	High
Monetization	Hobby

Notes

The HN discussion highlighted that CAs already validate DNSSEC but users still need a convenient tool; this product fills that gap and could be monetized through premium connectors or SLA support.

[DNSSEC Zone Health CLI]

Summary

A lightweight, single‑binary CLI that audits a DNS zone, detects common DNSSEC misconfigurations, and auto‑generates correct DS and RRSIG records.
Lowers the barrier for self‑hosted domains to enable DNSSEC safely. ### Details | Key | Value | |-----|-------| | Target Audience | Small‑business owners, hobbyists, self‑hosting enthusiasts | | Core Feature | One‑command zone audit + auto‑fix (key rotation, DS upload, TTL optimization) | | Tech Stack | Rust, libdns (BIND9 API), SQLite for persistent state, Clap for CLI | | Difficulty | Low | | Monetization | Hobby |

Notes

Community members repeatedly expressed fear of “breaking the internet” when enabling DNSSEC; a foolproof CLI directly alleviates that concern and encourages adoption.

[Cross‑Protocol DNSSEC Auth Bridge]

Summary

A SaaS API that publishes service public keys (SSHFP, DANE, SMIME) in DNSSEC‑signed TLSA/CERT records, allowing any client to fetch and verify them without protocol‑specific trust chains.
Enables universal, DNSSEC‑backed authentication for SSH, SMTP, and other protocols that currently rely on disparate PKI mechanisms.

Details

Key	Value
Target Audience	Security engineers, developers of decentralized or multi‑protocol services
Core Feature	Centralized DNSSEC‑signed key repository with API for fetching verified service keys
Tech Stack	TypeScript (Node.js), Web Crypto API, IPFS for immutable key storage, PostgreSQL for metadata
Difficulty	High
Monetization	Revenue-ready: Tiered API usage (Free 10 k requests/mo, $0.001 per request thereafter, Enterprise custom)

Notes- The thread highlighted the lack of universal PKI for non‑HTTP protocols; this service would let HN users secure SSH, VPN, and other services via the same DNSSEC‑validated infrastructure, turning a widely‑discussed gap into a marketable product.

Cert Authorities Check for DNSSEC from Today

🚀 Project Ideas

[DNSSEC Adoption Monitor]

Summary

Details

Notes

[DNSSEC‑Enabled ACME Client]

Summary- A drop‑in replacement for Certbot that automatically creates, validates, and renews DNSSEC‑signed DNS records during ACME DNS‑01 challenges.

Details

Notes

[DNSSEC Zone Health CLI]

Summary

Notes

[Cross‑Protocol DNSSEC Auth Bridge]

Summary

Details

Notes- The thread highlighted the lack of universal PKI for non‑HTTP protocols; this service would let HN users secure SSH, VPN, and other services via the same DNSSEC‑validated infrastructure, turning a widely‑discussed gap into a marketable product.

Read Later