I operate my own domain. This domain is used exclusively for email. I do not operate a website. The requirements I seek are as follows:
The standard DNS server supports IPv6. Name resolution is possible from an IPv6-only environment without the need to set up an external DNS server separately.
It must be possible to activate DNSSEC without preparing a separate external DNS server.
Compliance with RFC 8624.
Complete WHOIS privacy. The registrant’s country of residence and province/state of residence are not displayed in WHOIS. Very few registrars meet this condition.
FIDO U2F or passkey authentication can be configured when accessing the control panel.
Very few registrars meet these conditions because most domain registrars don’t adopt modern technologies. The domain industry is terrible.
Njalla meets these conditions, but they’ve raised their prices quite a bit recently. For example, XYZ domains increased from 15 EUR to 30 EUR per year. I think that’s a bit too expensive.
Porkbun doesn’t support DNSSEC. Gandi has incomplete WHOIS protection. Namecheap still uses SHA-1 for DNSSEC, which violates RFC 8624.
123 Reg is absolutely awful. When I tried to get customer support, the support agent told me to temporarily disable FIDO U2F. Their security practices are sloppy.
This mostly depends on the registry (Verisign, DENIC, Nominet etc) policy, not the registrar (Porkbun, Namecheap etc). That said, Porkbun meets your requirements, I believe.
Also, Njalla is not a registrar like Porkbun or Namecheap, so it’s apples-to-oranges comparison.
To utilize this functionality, you’ll need to set up a separate external DNS server. In today’s environment, having an external DNS server allows you to enable DNSSEC with any registrar—this is standard practice and doesn’t require special mention.
Only when DNSSEC can be activated with a single click without requiring a separate external DNS server does it become truly advantageous.
For #1 and #2 are you specifically only looking to use registrar provided dns server? I always use a separate, 3rd party dns provider since most of the time registrar dns are an afterthought, a bonus on top of the domain you’ve already purchased from them and not their main concern. Desec.io is what I’ve always used as authoritative dns for my domains. Dnssec by default, support boatloads of dns rrset, well documented api, foss stack, nonprofit eu based, anycast network.
For registrar my main 3 are porkbun, spaceship and dynadot. All 3 works well with desec.io dnssec, automated, no need to contact support and shit to give dnssec keys. Avoid cloudflare as a registrar for #4 since they don’t provide proper whois replacement, they just showed redacted, upstreamed whois from registry and for gtld that’ll usually leak country and region.
