Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


CloudFlare DNSSEC
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

CloudFlare DNSSEC

Finally!

CloudFlare’s mission is to make the web more secure. That’s why we spent the last two years working on Universal DNSSEC. With just a few clicks, you can now protect your domain name from DNS cache poisoning and man-in-the-middle attacks at no extra cost. All you need to do is upload one DNS record to your registrar.

If you care about the integrity and reputation of your brand, you should learn more about how DNSSEC helps prevent domain hijacking.
Thanked by 2ToggledNS netomx

Comments

  • For those that don't like scrolling horizontally:

    CloudFlare’s mission is to make the web more secure. That’s why we spent the last two years working on Universal DNSSEC. With just a few clicks, you can now protect your domain name from DNS cache poisoning and man-in-the-middle attacks at no extra cost. All you need to do is upload one DNS record to your registrar. If you care about the integrity and reputation of your brand, you should learn more about how DNSSEC helps prevent domain hijacking.

  • Nice. It's at the bottom of the "DNS" section if anyone was wondering.

  • Damit, now I only have to get bizcn/cnobin to support DNSSEC.

    Thanked by 1paily
  • FrecyboyFrecyboy Member
    edited November 2015

    Saw that yesterday in the cf panel and thought I must have overlooked that all the time.

  • @gbshouse said:
    Meh

    Why meh?

  • rokok said: Why meh?

    What does gbshouse provide? Mmmmh? ;-)

    Thanked by 1gbshouse
  • @Amitz said:
    What does gbshouse provide? Mmmmh? ;-)

    I know

    Meh like Spotify CEO react 'Oh Ok' when Apple launch Apple Music?

    Thanked by 2Amitz Dylan
  • rokok said: Meh like Spotify CEO react 'Oh Ok' when Apple launch Apple Music?

    Exactly that kind of "Meh", I assume! :-)

    Thanked by 3rokok netomx Dylan
  • joepie91joepie91 Member, Patron Provider
    edited November 2015

    Was about to post that. I've been asking quite a few people throughout the past year, and I have yet to find somebody with actual counter-arguments to that post.

    TL;DR DNSSEC is broken, and possibly harmful.

  • If it is really that weak why will be CloudFlare announcing it ? They are hosting so many sites ...

  • ProfforgProfforg Member
    edited November 2015

    qhoster said: If it is really that weak why will be CloudFlare announcing it ? They are hosting so many sites ...

    That's a good marketing trick to attract newbies to use CloudFlare.

  • joepie91 said: I have yet to find somebody with actual counter-arguments to that post.

    I can oblige.

    For starters, the post claims DNSSEC is cryptographically weak, allegedly because 1024-bit RSA keys are weak. But DNSSEC can work with any key size, it accepts 1024-bit RSA keys as well as 2048-bit RSA keys. By the same argument, OpenSSH is "cryptographically weak" because it will happy let you generate a 768-bit RSA key if you insist. Just because ECC is faster and more compact doesn't mean RSA is cryptographically weak.

    Next, they claim DNSSEC is expensive to adopt. As support for this, they state that virtually no network software is equipped to handle the extra failure cases (bad signature, etc). Missing from their report is any actual estimation of the expense needed to handle these cases in, e.g., a browser, and I do not think it would be that high.

    And what kind of argument against new technology is that, that it would be "expensive to adopt"? This is the "let's keep running Windows ME because we already wrote all the code for it" argument, right?

    DNSSEC is Expensive To Deploy: Supposedly because TLS is hard to deploy, and DNSSEC is harder to deploy than TLS. But TLS is not hard to deploy at all, unless you're a quadriplegic.

    DNSSEC is Incomplete: There is an obvious fix for the identified problem: run a DNSSEC capable resolver locally.

    DNSSEC is Unsafe: Allegedly because it "leaks" the DNS names. The obvious fix here is not to use your password as a host name in public DNS.

    DNSSEC is Architecturally Unsound: Supposedly because it is not end-to-end. But it is end-to-end if you run a DNSSEC resolver.

  • joepie91joepie91 Member, Patron Provider

    singsing said: For starters, the post claims DNSSEC is cryptographically weak, allegedly because 1024-bit RSA keys are weak. But DNSSEC can work with any key size, it accepts 1024-bit RSA keys as well as 2048-bit RSA keys. By the same argument, OpenSSH is "cryptographically weak" because it will happy let you generate a 768-bit RSA key if you insist. Just because ECC is faster and more compact doesn't mean RSA is cryptographically weak.

    singsing said: DNSSEC is Unsafe: Allegedly because it "leaks" the DNS names. The obvious fix here is not to use your password as a host name in public DNS.

    singsing said: Next, they claim DNSSEC is expensive to adopt. As support for this, they state that virtually no network software is equipped to handle the extra failure cases (bad signature, etc). Missing from their report is any actual estimation of the expense needed to handle these cases in, e.g., a browser, and I do not think it would be that high.

    singsing said: DNSSEC is Expensive To Deploy: Supposedly because TLS is hard to deploy, and DNSSEC is harder to deploy than TLS. But TLS is not hard to deploy at all, unless you're a quadriplegic.

    All covered here, which was linked from the original post.

    singsing said: And what kind of argument against new technology is that, that it would be "expensive to adopt"? This is the "let's keep running Windows ME because we already wrote all the code for it" argument, right?

    No. The argument is that you should not have to bear the cost of adoption if the benefit is too small or non-existent (or even has a negative effect, rather than a benefit). Terrible analogy.

    singsing said: DNSSEC is Incomplete: There is an obvious fix for the identified problem: run a DNSSEC capable resolver locally.

    singsing said: DNSSEC is Architecturally Unsound: Supposedly because it is not end-to-end. But it is end-to-end if you run a DNSSEC resolver.

    Runs into the same deployment issues.

  • joepie91joepie91 Member, Patron Provider
    edited November 2015

    qhoster said: If it is really that weak why will be CloudFlare announcing it ? They are hosting so many sites .

    The same reason they have "Universal SSL", which is deceptive, lies to end users, and nowhere near as secure as people think it is.

    It can be for marketing or, depending on your level of paranoia, it can be because Cloudflare is in a great position to encourage poorly implemented crypto (eg. Universal SSL, which is MITMed by design) so that certain other parties can benefit from wide deployment of it.

    EDIT: Whoops, double post.

    Thanked by 1netomx
  • joepie91 said: I have yet to find somebody with actual counter-arguments to that post.

    ... and now the actual counter-arguments aren't good enough.

    Your tactics are highly repetitive.

  • @singsing said:
    DNSSEC is Unsafe: Allegedly because it "leaks" the DNS names. The obvious fix here is not to use your password as a host name in public DNS.

    This is a silly counter argument. If you can't understand why you don't want the subdomains to be public, you should install Windows and play Solitaire.

  • deadbeef said: If you can't understand why you don't want the subdomains to be public, you should install Windows and play Solitaire.

    Ditto to you if you can't figure out a way to secure your network without relying on privacy of subdomains.

  • Subdomains will leak, regardless of DNSSEC is used or not. Secret subdomains shouldn't be used at all if you do not want any to leak.

    The article's alternative, which is public key pinning, is not better than DNSSEC though. It is susceptible to MITM methods like the ones deployed by antivirus software or enterprise firewalls.

    DNSSEC is also not that hard to deploy. In an end-user computer/device, all you need to do is to switch to Google DNS, a DNSSEC-validating-and-enforcing resolver service. No need for browser or other software to be modified to support DNSSEC at all. If you use Google DNS, try opening http://www.dnssec-failed.org/ in your browser and you will get an ERR_NAME_RESOLUTION_FAILED error message.

    For the more complicated server-side deployment, three prerequisites are needed: top level domain (.com, .info, .be et. al.) support, registrar support and server (BIND, PowerDNS et. al.) software support. For the latter, that problem is solved a long time ago. If you do not know how to run a server, there is always services like Rage4 or this one from CloudFlare. For the second problem, it will eventually solves itself considering that ICANN has mandated DNSSEC support to registrars, if they want to keep their license.

    Only the first problem can be iffy sometimes. But, common domains like .com and .net should have no problems, while some country-code domains may not support it.

  • So, no SSHFP and no TLSA records? Meh, staying with Rage4 ;-)

    Thanked by 1gbshouse
Sign In or Register to comment.