— < 1 min read

Gmail provided by the paid Google Workspace service (formerly known as G Suite and Google Apps) has unofficial DNSSEC-signed MX records available for use. The officially supported ones that you’re told to configure do not offer DNSSEC signing.

These MX records have both IPv4 and IPv6 addresses, although the records are not officially supported or documented and may be unreliable or removed at any point. (I’ve been using them for a while now and they seem perfectly fine to me but use at your own risk.)

mx1.smtp.goog
mx2.smtp.goog
mx3.smtp.goog
mx4.smtp.goog

The table below has the MX record and the A and AAAA record values.

mx1.smtp.goog
    216.239.32.151
    2001:4860:4802:32::97

mx2.smtp.goog
    216.239.34.151
    2001:4860:4802:34::97

mx3.smtp.goog
    216.239.36.151
    2001:4860:4802:36 …
 — 2 min read

SSHFP records are a defense against people blindly typing ‘yes’ when asked if they want to continue connecting to an SSH host who’s authenticity is unknown.

$ ssh some.host.tld
The authenticity of host 'some.host.tld (123.456.789.10)' can't be established.
ED25519 key fingerprint is 69:76:51:39:a4:c6:de:15:7c:50:4b:4a:a7:98:40:5e.
Are you sure you want to continue connecting (yes/no)?

This prompt is likely to be extremely familiar to you and, most people seem to just type ‘yes’ to move on with their lives, which defeats the whole purpose of this prompt.

If you use DNSSEC you can bypass this prompt entirely by publishing your server’s key fingerprints via DNS and having SSH authenticate them for you.

Generating your SSHFP record

You can get SSH to generate the DNS records for you, log in …

 — 1 min read

I currently use name.com as my registrar and I use Rage4 because Rage4 are awesome, they also support TLSA and SSHFP records and of course, DNSSEC.

I’m writing this up because I found getting DNSSEC from Rage4 to work with name.com as my registrar was a pain and the name.com support were not very helpful, linking me to a support article that I’d already read and did not help at all.

Rage4

I’m going to assume you’ve already got your records in Rage4, if not, the interface is really easy so you’ll figure it out.

Within the management section for your domain’s zone, there is a menu bar of icons, the icon pictured below enabled DNSSEC.

Enabled DNSSEC

Clicking this will turn on DNSSEC. You will then have a new icon that will allow you to display your DNSSEC information.

Display DNSSEC info

Clicking this icon …