.@ Tony Finch – blog

What a disappointing offering.

To be fair, they are providing a cheap, high volume, globally distributed, authoritative DNS service. I expect they will do this as superbly as their other cloud hosting services.

But they are using obsolete unmaintained software for the DNS servers. This has two clearly bad consequences:

Firstly, they don’t support DNSSEC.

Secondly, they have invented their own API for updating the DNS instead of using the standard dynamic update protocol.

ETA: Thirdly (but not a djbdns problem) they don’t support AXFR, let alone NOTIFY and IXFR, which means that Route 53 cannot be used as a secondary DNS service for a primary you run, nor can you set up a local slave of your Route 53 zones.

I admit that they would have to have their own API for provisioning zones, since there is not yet a standard way to do that - and in fact BIND is only just getting its own API for dynamic zone provisioning. But I doubt I’ll see Amazon staff on the IETF lists working to help standardize a provisioning protocol if they don’t even support DNSSEC or standard dynamic updates.