Defaults for everyone
| Control | Free | Notes |
|---|---|---|
| TLS 1.3 on the dashboard | ✅ | HSTS preloaded |
| TOTP-based 2FA | ✅ | Recommended for every account |
| WebAuthn / passkeys | ✅ | First-class, not a beta |
| Per-zone audit log | 30 days | Forever on verified |
| IP allowlist for API tokens | — | Available with verification |
DNSSEC
DNSSEC lets resolvers cryptographically verify that answers actually came from your zone — defeating the kind of cache poisoning that took down whole registrars in 2024. Stackryze signs every enabled zone with ECDSA P-256 + SHA-256 by default. NSEC3 with opt-out is enabled to prevent zone-walking. To turn DNSSEC on for a zone you own:- Open the zone in the dashboard
- Go to Settings → DNSSEC
- Click Enable
- Copy the
DSrecord we generate - Paste it at your registrar
Compliance
- Data residency: EU and US regions available on request
- Subprocessors: stackryze.com/legal/subprocessors
- Responsible disclosure: security@stackryze.com, PGP key on the website