Blog What we do Support Community
Login Sign up

Help us test our DNSSEC implementation

by Filippo Valsorda.

For an introduction to DNSSEC, see our previous post

Today is a big day for CloudFlare! We are publishing our first two DNSSEC signed zones for the community to analyze and give feedback on:

We've been testing our implementation internally for some time with great results, so we now want to know from outside users how it’s working!

Here’s an example of what you should see if you pull the records of, for example,

$ dig A +dnssec

; <<>> DiG 9.10.1-P1 <<>> A +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29654
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

; EDNS: version: 0, flags: do; udp: 4096
;	IN	A

;; ANSWER SECTION:	300 IN	A	300 IN	A	300 IN	RRSIG	A 13 3 300 20150128233303 20150126213303 44478 2CUK9o8gUM6poGEvplZTk8QZsjlEda8TLu7hKDTUqq/Of/0cWPQ3j20r ha7D1ZWbwcuo6wo3S82aAOLXovsURQ==

;; Query time: 168 msec
;; WHEN: Tue Jan 27 22:33:03 GMT 2015
;; MSG SIZE  rcvd: 213

This is a big step towards our goal of doing with DNSSEC what we did with TLS: making it easy and widespread. We’re working on that and will get there soon.

DNSSEC presents many complexities that we are addressing doing DNSSEC in a modern way: for example by signing on the fly we can prevent NSEC records from revealing all zone’s subdomains; by using ECDSA we make DNS answers smaller and reduce the risk of reflection attacks; and finally by providing a fully managed solution we take away all the complexity from you.

A visualization of the signatures on our domain.
A visualization of the signatures on our domain. Source: DNSViz

So let us know how those two domains load and validate for you. We’ll make sure to get you some stickers if you find some obscure bug!

UPDATE: The beta is full, thanks for all who are participating.

P.S. If you are a DNSSEC enthusiast and you want to be part of the public beta, just send an email to with the name of your website and the answer to this question - first ten people get in:

~~ What is the DNSSEC algorithm number for ECDSAP256SHA256? ~~

comments powered by Disqus