Uptake of the newer DNSSEC protocol has been slow, but a new tool from Cloudflare looks to make it easier to ensure secure websites and more control over DNS.
September 21, 2018
Cloudflare is adding a new feature to its hosting and firewall products that the networking company hopes will address the slow uptake of the Domain Name System Security Extensions (DNSSEC) protocol.
The method to support the DNSSEC protocol has been a manual one before this, requiring a website owner to add a "DS record" to its account with their registrar.
A Cloudflare customer that is working with a registry that supports DNSSEC can activate it for their account by the press of a button from the Cloudflare dashboard.
DNSSEC proves authenticity and integrity — though not confidentiality — of a response from the authoritative nameserver. This makes it much harder for a bad actor to inject malicious DNS records into the resolution path through malware techniques such as BGP Leaks and cache poisoning. Trust in Domain Name System (DNS) can be critical when a domain is publishing record types that are used to declare trust for other systems.
(Source: iStock)
A simple way for a user to test if DNSSEC is enabled within their network is to try and load brokendnssec.net with a browser. If the page loads, the protocol is inactive.
The number of DNS queries validated by recursive resolvers for DNSSEC has remained flat over the years. Worldwide, less than 14% of DNS requests have DNSSEC validated by the resolver according to APNIC, which functions as the Regional Internet Registry for the Asia Pacific area.
Cloudflare believes that struggle to add a DS record may be at the root of the low utilization:
"Locating the part of the registrar UI that houses DNSSEC can be problematic, as can the UI of adding the record itself. Additional factors such as varying degrees of technical knowledge amongst users and simply having to manage multiple logins and roles can also explain the lack of completion in the process. Finally, varying levels of DNSSEC compatibility amongst registrars may prevent even knowledgeable users from creating DS records in the parent."
While all of this is going on, the ICANN Organization is preparing to change the cryptographic keys that help to protect the Internet's DNS for the first time.
The changing of the keys, known as the "Root Key Signing Key (KSK) Rollover," is currently scheduled for October 11. Final ratification of that date has not yet been done.
ICANN attempted this update a year ago but had to cancel it at the last minute. The rollover was postponed due to "unclear data received just before the rollover." ICANN thinks the two thirds of users that do not use DNSSEC will not be impacted by the KSK rollover.
Related posts:
DNS Rebinding Attack Could Affect Half a Billion IoT Devices
How the Cloud Is Changing the Identity & Access Management Game
Researchers Show How Attackers Can Crack LTE Data Link Layer
Google, Roku, Sonus Rush Out Patches for DNS Vulnerability
— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.
Read more about:
Larry Loeb
Blogger, Informationweek
Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek. He has written a book on the Secure Electronic Transaction Internet protocol. His latest book has the commercially obligatory title of Hack Proofing XML. He's been online since uucp "bang" addressing (where the world existed relative to !decvax), serving as editor of the Macintosh Exchange on BIX and the VARBusiness Exchange. His first Mac had 128 KB of memory, which was a big step up from his first 1130, which had 4 KB, as did his first 1401. You can e-mail him at [email protected].
You May Also Like
Tips for Managing Cloud Security in a Hybrid Environment
Top Cloud Security Threats Targeting Enterprises
DevSecOps: The Smart Way to Shift Left
API Security: Protecting Your Application’s Attack Surface
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Cyber Resiliency 2023: How to Keep IT Operations Running, No Matter What
Passwords Are Passe: Next Gen Authentication Addresses Today’s Threats
The State of Supply Chain Threats
How to Deploy Zero Trust for Remote Workforce Security
What Ransomware Groups Look for in Enterprise Victims
How to Use Threat Intelligence to Mitigate Third-Party Risk
SANS ICS/OT Cybersecurity Survey: 2023’s Challenges and Tomorrow’s Defenses
The OT Zero Trust Handbook: Implementing the 4 Cornerstones of OT Security
Migrations Playbook for Saving Money with Snyk + AWS
Increase Speed and Accuracy with AI Driven Static Analysis Auditing
The Developers Guide to API Security
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Cyber Resiliency 2023: How to Keep IT Operations Running, No Matter What
Copyright © 2024 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG.
About The Author
More Stories
Anatomy of a Scam
Climate and Environmental Sustainability Within the IETF and IRTF
From Commitments to Practice: Internet Society’s Priorities for WSIS+20 Implementation