For an introduction to DNSSEC, see our previous post
Today is a big day for Cloudflare! We are publishing our first DNSSEC signed zone for the community to analyze and give feedback on:
- www.cloudflare.com- a fully signed zone managed by Cloudflare
We've been testing our implementation internally for some time with great results, so we now want to know from outside users how it’s working!
Here’s an example of what you should see if you pull the records of, for example, www.cloudflare.com
DiG 9.11.18 <<>> www.cloudflare.com A +dnssec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57987 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 1232 ;; QUESTION SECTION: ;www.cloudflare.com. IN A ;; ANSWER SECTION: www.cloudflare.com. 294 IN RRSIG A 13 3 300 20210114001214 20210111221214 34505 www.cloudflare.com. QZrCZlAC29e5RYjF+Xt9l02bWYhPE9so5EZZHO07oAd1m6x4Ghbt873O t7dipnScuJcdu2zPpvFGAu5f+dtrNg== www.cloudflare.com. 294 IN A 18.104.22.168 www.cloudflare.com. 294 IN A 22.214.171.124 ;; Query time: 25 msec ;; SERVER: 126.96.36.199#53(188.8.131.52) ;; WHEN: Tue Jan 12 15:12:17 PST 2021 ;; MSG SIZE rcvd: 193
This is a big step towards our goal of doing with DNSSEC what we did with TLS: making it easy and widespread. We’re working on that and will get there soon.
DNSSEC presents many complexities that we are addressing doing DNSSEC in a modern way: for example by signing on the fly we can prevent NSEC records from revealing all zone’s subdomains; by using ECDSA we make DNS answers smaller and reduce the risk of reflection attacks; and finally by providing a fully managed solution we take away all the complexity from you.
A visualization of the signatures on our domain. Source: DNSViz
So let us know how those two domains load and validate for you. We’ll make sure to get you some stickers if you find some obscure bug!
UPDATE: The beta is full, thanks for all who are participating.
P.S. If you are a DNSSEC enthusiast and you want to be part of the public beta, just send an email to [email protected] with the name of your website and the answer to this question - first ten people get in:
~~ What is the DNSSEC algorithm number for ECDSAP256SHA256? ~~