back to article DNSSEC in a click: Cloudflare tries to crack uptake inertia

Cloudflare is offering DNSSEC in a single click. The content delivery network (CDN) company has included the option to add the security protocol to your domain name through its dashboard in a single, simple form. The goal, the biz said on Tuesday, is increased adoption. Cloudflare won't be charging for the service, its …

Silver badge

El Reg writes "In some respects it is like IPv6...."

In some respects it is like IPv6 - a critical internet protocol that everyone knows they need to update to at some point but endlessly put off because it will cost time and money and there is no urgent need for it

Ok, then, I'll take the bait!

theregister.co.uk

No DS records found for theregister.co.uk in the co.uk zone

No DNSKEY records found

theregister.co.uk A RR has value 104.18.223.129

No RRSIGs found

"Ooops."

6
2
Silver badge

Re: El Reg writes "In some respects it is like IPv6...."

My work here is done, and I pass the reins on to others....

:-)

1
0
Bronze badge

Re: El Reg writes "In some respects it is like IPv6...."

theregister.co.uk also has no DNS CAA record which means that anyone can ask a CA for a SSL certificate that is valid for theregister.co.uk and then be able to do a MITM attack.

1
0

Re: El Reg writes "In some respects it is like IPv6...."

Yeah, but with the consolidation in the industry, there's less than a handful of large players, and the small players are probably going to all die off sooner than later. The CAA record seems less useful if its between a choice of 3 or 4.

0
0
Anonymous Coward

Namecheap + Cloudflare = easy DNSSEC

Just double checked my domains and Namecheap supports DNSSEC out of the box (but only for 14 TLDs at the moment). A few clicks and I had all five domains configured in about 10 minutes total.

2
0

GoDaddy Confusing

Cloudflare link to GoDaddy's page on how to setup a DS record, however, like so many GoDaddy help files, it's outdated = \

https://ph.godaddy.com/help/add-a-ds-record-23865

One thing to note Digest Type shows only as a 1 or 2 in GoDaddy but Cloudflare say it should be SHA256 (the help page helpfully doesn't say what 1 or 2 is) - the long way around I found this means it's 2, when using 1 I got an error emailed "Invalid SHA-1 digest".

Timeout you can seemingly ignore, again, help page is of no help, but not entering a figure hasn't stopped me from being able to configure.

So, if you want to setup with GoDaddy as your host, that'll help. Now, to get my employer's to migrate to a better host...

2
0

I used this cloudflare 'secure' dns for a few days til one of my favorite websites, NASA Worldviewer, kept blowing up, and I found a bunch of DNS errors in nasa.gov only on the 1.1.x.x servers not on other public servers like 8.8.x.x

1
1
Silver badge

I have a few domains

At both register.com & godaddy. If they had a simple and fully supported one click "make your domain DNSSEC" I'd do it. But I'm not going to mess around for hours trying to figure out some complicated process to do it for domains no one is ever going to try to hijack, and risk that maybe things will change and my domain will break because it isn't really supported. I certainly won't pay more for it.

Hopefully Cloudflare will start a trend.

1
0

Ah, key rollovers

I've watched an attempted live key rollover a couple of years back. It failed, and the expert doing it didn't know why. Good luck everyone :-)

0
0
Anonymous Coward

in large part because DNS providers don't see much of an upside to offering it

Too right.

There is only one thing which DNSSEC can do, and that is to give SERVFAIL responses to clients if DNSSEC validation fails.

Of course, if someone is actively trying to poison your DNS, that's what you want to happen; but much more likely it's because of a DNSSEC cockup that things fail. In other words, DNSSEC increases the risk that your users won't be able to access your site.

Protection against spoofing is already done at the transport/application layer, specifically HTTPS (which protects both against DNS manipulation and other attacks like MITM). And there are much simpler solutions to the DNS poisioning problem too, like DNS cookies.

2
2
Bronze badge

Re: in large part because DNS providers don't see much of an upside to offering it

"Protection against spoofing is already done at the transport/application layer, specifically HTTPS (which protects both against DNS manipulation and other attacks like MITM)."

Only if the suite has a DNS CAA record set, which many sites don't (including theregister.co.uk). Without a CAA record I can go to a CA and get a valid certificate for theregister.co.uk and then perform a MITM attack.

2
0
Silver badge

Re: in large part because DNS providers don't see much of an upside to offering it

Depends what you're trying to do.

I imagine if, say, the government wanted to quietly take over a "secure" forum of dissenters, whistleblowers (e.g. Wikileaks) etc. for whatever reason, they could easily get a CA of their choice to sign a certificate, if indeed they don't already have a trusted root cert they can issue under in every single browser already.

Then they could hijack the DNS for the website in seconds and you'd never know.

CAA would not combat this (they could just "encourage" the right CA). Certificate-pinning/HSTS might. But DNSSEC would also... as there is a similar effort to record keys that were used and it's trickier to change them even if you own the root TLD.

Think not "guy trying to get into your Wordpress" but, say, China trying to capture everyone who logs into a proxy site.

1
0

Re: in large part because DNS providers don't see much of an upside to offering it

"Without a CAA record I can go to a CA and get a valid certificate for theregister.co.uk and then perform a MITM attack."

No you can't. If you can then go ahead and do it. Is it possible? Yes, but there would have to be other security breakdowns with the trusted root authority or elsewhere (hacked into the register email system) to be able to do it.

0
0
Silver badge

Kudos to Cloudflare

DNSSEC really needs to be widely adopted (this issue is even more important than getting everyone to use HTTPS, in my opinion), and I'm happy to see a big player making noises about this. I will continue to distrust Cloudflare and won't be using their DNS servers, but perhaps this effort will get other DNS providers to get on board.

0
0

Is Cloudflare a web hosting service like Network Solutions or GoDaddy?

Should we move our very small domain to Cloudflare?

We are NOT techies. All I know is that I like Cloudflare's 1-1-1-1 DNS lookup service.

0
0
Silver badge

Cloudflare is not a hosting service, it is a content delivery network that specializes in protecting websites from things like DDOS attacks.

0
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018