Announcing Universal DNSSEC: Secure DNS for Every Domain

by Dani Grant.

CloudFlare launched just five years ago with the goal of building a better Internet. That’s why we are excited to announce that beginning today, anyone on CloudFlare can secure their traffic with DNSSEC in just one simple step.

This follows one year after we made SSL available for free, and in one week, more than doubled the size of the encrypted web. Today we will do the same with DNSSEC, and this year, we’ll double the size of the DNSSEC-enabled web, bringing DNSSEC to millions of websites, for free.

If DNS is the phone book of the Internet, DNSSEC is the unspoofable caller ID. DNSSEC ensures that a website’s traffic is safely directed to the correct servers, so that a connection to a website is not intercepted by a man-in-the-middle.

Solving A Decades-Old Vulnerability In DNS

Every website visit begins with a DNS query. When I visit cloudflare.com, my browser first needs to find the IP address:

cloudflare.com. 272 IN A 198.41.215.163

When DNS was invented in 1983, the Internet was used by only a handful of professors and researchers, and no one imagined that there could be foul play. Thus, DNS relies on sheer trust to operate; no matter what IP address you receive in return, your browser blindly trusts it and attempts to establish a TCP connection with that server.

cloudflare.com. 272 IN A 6.6.6.6

A malicious wifi network, an attacker on your router, a compromised ISP, or any other man-in-the-middle can manipulate this decades-old vulnerability in DNS to connect you to any server they choose. This lack of authentication in DNS has been exploited by countries to block banned websites, by intelligence agencies to intercept traffic, by service providers to inject ads, and by attackers to phish visitors and serve malware.

If we want to build an Internet we can trust, we must eliminate the possibility of this type of attack. The proven solution is DNSSEC. Our goal is to have DNSSEC enabled on every website on CloudFlare. It should be the expectation, not the exception, that DNS is secured by DNSSEC.

How Trust Is Delegated In DNSSEC, And How It Should Be Automated

In DNSSEC, trust is chained down from the root zone, to the Top Level Domain (TLD), to the domain, and then to any subdomain. You can trust cloudflare.com in DNSSEC because it is verified by a key contained at the .com zone, and you can trust .com because it is verified by a key contained at the root zone.

cloudflare.com ECDSA public key:
mdsswUyr3DPW132mOi8V9xESWE8jTo0dxCjjnopKl+GqJxpVXckHAeF+ KkxLbxILfDLUT0rAK9iUzy1L53eKGQ==

SHA-256 hash of cloudflare.com key in .com zone:
32996839a6d808afe3eb4a795a0e6a7a39a76fc52ff228b22b76f6d63826f2b9

SHA-256 hash of .com key published in the root zone:
E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CFC41A5766

Keys in DNSSEC can be trusted because their hashes are stored in the zone above them, allowing DNS resolvers to compare the key against its hash. Therefore, to activate DNSSEC, a website owner needs to:

  • Copy the keys from CloudFlare’s dashboard
  • Paste them in the registrar’s dashboard
  • The registrar then updates the information contained in the registry with the new keys

This part is problematic -- copying and pasting opens up the possibility to human error, and prevents the spread of DNSSEC on the web if the registrar still hasn’t added support in their interface for the protocol or our DNSSEC cipher choice.

If CloudFlare could instead communicate directly with the registry, we could activate DNSSEC for every website on CloudFlare automatically, a full 42% of managed DNS. The sheer scale could fundamentally upgrade the mechanism of trust in the Internet backbone.

Creating Internet Standards

At CloudFlare, we care about advancing what’s possible on the Internet, so we have published an Internet Draft proposing a protocol for DNS providers such as CloudFlare to communicate directly to registries and registrars. We are pushing it to become an accepted Internet Standard RFC.

Registries all over the world are already building support for this protocol, which means that over the next year, CloudFlare will be able to activate DNSSEC automatically for the tens of thousands of websites on CloudFlare with the .ca, .cl and .ee TLDs without users having to manage the activation.

We are inviting all registries and registrars to take a step forward with us towards a better and safer web. If you’re a registry or registrar and want to get involved, get in touch by emailing [email protected]. Help us keep the Internet trustworthy.

DNSSEC and CloudFlare

Since we launched the DNSSEC public beta just three weeks ago, we have protected 150 million people and 21 billion web requests with DNSSEC.

Several registries and registrars have added support for DNSSEC with ECDSA, our chosen cipher, since we started our beta just a few weeks ago. Big shoutout to OVH, Hover, Internet.bs and Metaname, as well as EURid (.EU) and NZRS (.NZ), allowing hundreds of thousands of websites on CloudFlare to turn on DNSSEC right now.

This is just the start. Now it’s your turn. Join us in making the web better.

comments powered by Disqus