For an introduction to DNSSEC, see our previous post
Today is a big day for CloudFlare! We are publishing our first two DNSSEC signed zones for the community to analyze and give feedback on:
- www.cloudflare-dnssec-auth.com - a fully signed zone managed by CloudFlare
- www.cloudflare-dnssec-cname.com - an external zone linking to a signed record with a CNAME
We've been testing our implementation internally for some time with great results, so we now want to know from outside users how it’s working!
Here’s an example of what you should see if you pull the records of, for example, www.cloudflare-dnssec-auth.com.
$ dig www.cloudflare-dnssec-auth.com A +dnssec ; <<>> DiG 9.10.1-P1 <<>> www.cloudflare-dnssec-auth.com A +dnssec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29654 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;www.cloudflare-dnssec-auth.com. IN A ;; ANSWER SECTION: www.cloudflare-dnssec-auth.com. 300 IN A 18.104.22.168 www.cloudflare-dnssec-auth.com. 300 IN A 22.214.171.124 www.cloudflare-dnssec-auth.com. 300 IN RRSIG A 13 3 300 20150128233303 20150126213303 44478 cloudflare-dnssec-auth.com. 2CUK9o8gUM6poGEvplZTk8QZsjlEda8TLu7hKDTUqq/Of/0cWPQ3j20r ha7D1ZWbwcuo6wo3S82aAOLXovsURQ== ;; Query time: 168 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Jan 27 22:33:03 GMT 2015 ;; MSG SIZE rcvd: 213
This is a big step towards our goal of doing with DNSSEC what we did with TLS: making it easy and widespread. We’re working on that and will get there soon.
DNSSEC presents many complexities that we are addressing doing DNSSEC in a modern way: for example by signing on the fly we can prevent NSEC records from revealing all zone’s subdomains; by using ECDSA we make DNS answers smaller and reduce the risk of reflection attacks; and finally by providing a fully managed solution we take away all the complexity from you.
A visualization of the signatures on our domain. Source: DNSViz
So let us know how those two domains load and validate for you. We’ll make sure to get you some stickers if you find some obscure bug!
UPDATE: The beta is full, thanks for all who are participating.
P.S. If you are a DNSSEC enthusiast and you want to be part of the public beta, just send an email to firstname.lastname@example.org with the name of your website and the answer to this question - first ten people get in:
~~ What is the DNSSEC algorithm number for ECDSAP256SHA256? ~~