Just started thinking about this and wanted to write down notes for the future.

One thing I think would be interesting for DNSControl to manage would be DNSSEC records. This really has two parts:

1. DNS Provider needs to implement it. This involves managing keys, generating RRSIG records and so forth.
2. Registrar needs to register the DS record(s) with the tld nameservers.

I would love for dnscontrol to be able to activate DNSSEC for a domain with minimal effort required.

A few issues I foresee:

• Provider support is fairly limited.

  Of the registrars we support, gandi has an api. name.com has functionality in the web ui, but no api. route53 as a registrar supports dnssec, but not as a dns provider.

  As far as DNS providers go, gcloud has alpha support, gandi appears to support it, cloudflare has some sort of support, and all others seem to not. We could certainly do it for the bind provider with some work.

• Multiple providers

DNSSEC would definitely not work unless all providers for a zone support it. If they do, I believe they can all use a separate key, and we can add multiple DS records via the registrar.

Most cloud providers provide only a "just turn it on" model where they maintain all the keys and just give you the DS info to give the registrar.

• Key management

Bind may or may not be worth implementing anything for. Maybe the keys live on the actual server, and part of the process of deploying zonefiles is using dnssec-signzone or something.