Subscribe to receive notifications of new posts:

Help us test our DNSSEC implementation

2015-01-29

1 min read

See our previous post for an introduction to DNSSEC.

Today is a big day for Cloudflare! We are publishing our first DNSSEC signed zone for the community to analyze and give feedback on:

We've been testing our implementation internally for some time with great results, so we now want to know from outside users how it’s working!

Here’s an example of what you should see if you pull the records of, for example, www.cloudflare.com

DiG 9.11.18 <<>> www.cloudflare.com A +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57987
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;www.cloudflare.com.		IN	A

;; ANSWER SECTION:
www.cloudflare.com.	294	IN	RRSIG	A 13 3 300 20210114001214 20210111221214 34505 www.cloudflare.com. QZrCZlAC29e5RYjF+Xt9l02bWYhPE9so5EZZHO07oAd1m6x4Ghbt873O t7dipnScuJcdu2zPpvFGAu5f+dtrNg==
www.cloudflare.com.	294	IN	A	104.16.123.96
www.cloudflare.com.	294	IN	A	104.16.124.96

;; Query time: 25 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Tue Jan 12 15:12:17 PST 2021
;; MSG SIZE  rcvd: 193

This is a big step towards our goal of doing with DNSSEC what we did with TLS: making it easy and widespread. We’re working on that and will get there soon.

DNSSEC presents many complexities that we are addressing doing DNSSEC in a modern way: for example by signing on the fly we can prevent NSEC records from revealing all zone’s subdomains; by using ECDSA we make DNS answers smaller and reduce the risk of reflection attacks; and finally by providing a fully managed solution we take away all the complexity from you.

A visualization of the signatures on our domain.

A visualization of the signatures on our domain. Source: DNSViz

So let us know how those two domains load and validate for you. We’ll make sure to get you some stickers if you find some obscure bug!

UPDATE: The beta is full, thanks for all who are participating.

P.S. If you are a DNSSEC enthusiast and you want to be part of the public beta, just send an email to [email protected] with the name of your website and the answer to this question - first ten people get in:

~~ What is the DNSSEC algorithm number for ECDSAP256SHA256? ~~

Cloudflare's connectivity cloud protects entire corporate networks, helps customers build Internet-scale applications efficiently, accelerates any website or Internet application, wards off DDoS attacks, keeps hackers at bay, and can help you on your journey to Zero Trust.

Visit 1.1.1.1 from any device to get started with our free app that makes your Internet faster and safer.

To learn more about our mission to help build a better Internet, start here. If you're looking for a new career direction, check out our open positions.
DNSSECBetaReliabilityProgramming

Follow on X

Filippo Valsorda|@filosottile
Cloudflare|@cloudflare

Related posts