
Universal DNSSEC: Secure DNS for Every Domain - hepha1979
https://blog.cloudflare.com/introducing-universal-dnssec/
======
tptacek
_If DNS is the phone book of the Internet, DNSSEC is the unspoofable caller
ID. DNSSEC ensures that a website’s traffic is safely directed to the correct
servers, so that a connection to a website is not intercepted by a man-in-the-
middle._

No, it doesn't. DNSSEC secures server-to-server DNS lookups, not the client-
to-server lookups that your browser generates. DNSSEC is far less valuable
than its proponents would like you to believe, and it comes at a significant
cost to Internet trust: its real use case, that of replacing the CAs with DNS
TLD operators, has the net effect of signing Internet cryptographic trust over
to the world governments that control the most important TLDs.

It's understandable that Cloudflare would jump on DNSSEC: the protocol is
famously annoying to deploy and has caused major outages, including breaking
the first day of HBO Now across all of Comcast. DNSSEC is an opportunity for a
company like Cloudflare to make the case that they should manage your
infrastructure, not you; the more features like DNSSEC Cloudflare can find,
the more market share they'll acquire.

But make no mistake: DNSSEC isn't about helping _you_ with _your_ security
issues.

Obligatory: [http://sockpuppet.org/blog/2015/01/15/against-
dnssec/](http://sockpuppet.org/blog/2015/01/15/against-dnssec/)

~~~
sarciszewski
Hmm. Think they'll adopt DNSCrypt next?

~~~
tptacek
DNSCrypt, which is far better and less costly than DNSSEC and does not cede to
the US Government control over TLS keys, was proposed and deployed by a
Cloudflare competitor. So, no.

~~~
jgrahamc
_was proposed and deployed by a Cloudflare competitor. So, no._

Bad reasoning. You think we'll not deploy HTTP/2 because the head of the
committee works for Akamai? Cmon.

DNSCrypt needs a secure resolver and client software. CloudFlare doesn't have
either of those things which rather hampers us deploying DNSCrypt.

~~~
sarciszewski
> CloudFlare doesn't have either of those things which rather hampers us
> deploying DNSCrypt.

Behold:

* [https://dnscrypt.org/](https://dnscrypt.org/)

* [https://github.com/bitbeans/SimpleDnsCrypt](https://github.com/bitbeans/SimpleDnsCrypt)

I'm sure with Filo on your team you could make that happen.

~~~
jamespo
How are cloudflare going to distribute this proxy to end users?

~~~
sarciszewski
I don't understand your question. I'm asking if they can consider supporting
it and help browser vendors (i.e. Firefox) support the client side of
DNSCrypt.

What does CloudFlare have to distribute?

------
peterwwillis
To recap the ways DNSSEC sucks for users:

    
    
      * The server/nameserver must have DNSSEC configured properly
        (CloudFlare have solved this for their customers)
      
      * Your client's DNS resolving server must support DNSSEC properly
        (which they might not, depends on the user's network)
      
      * Your client's stub resolver must verify all DNSSEC records
        (most do not currently)
    

If any of the above fail, you will not have any indication whatsoever and you
will be using regular DNS.

The only time that a user will ever know if DNSSEC is working (for them) is if
the server/nameserver are configured correctly, your client's dns resolver
supports DNSSEC, your client's stub resolver verifies requests, and then the
user tries to look up a known-invalid domain and it gives them a resolving
error. Otherwise, they will never know if DNSSEC is in use.

Oh, and you can still MITM the data connection between the client and server
even if DNSSEC works.

------
enginnr
DNS is often the weakest link in the chain and well worth hardening if you're
doing proactive sec. Combined with DNSCrypt it can be a pretty robust setup.
My only problem with DNS hardening is zero-knowledge problems. See
[https://en.wikipedia.org/wiki/Zero-
knowledge_proof](https://en.wikipedia.org/wiki/Zero-knowledge_proof) It is
possible to encrypt DNS queries, but tricky for end points to deny knowledge
of having requested it, and so we have zero-knowledge proof issues.

------
danyork
This is great news for those of us who want to see DNSSEC more widely deployed
for three reasons:

1\. CloudFlare already hosts the DNS for millions of domains. This is now
making it VERY easy for those who use CloudFlare to sign their domains with
DNSSEC.

2\. Because of the competition within the DNS hosting / operator space, this
move by CloudFlare will hopefully motivate the other large DNS operators to
simplify their own user experience for DNSSEC.

3\. For those of us who want to see stronger crypto within DNSSEC, this move
by CloudFlare advances the use of an elliptic curve algorithm. Yes, ECDSA has
its issues, but by getting it out there: a) it gets people looking at EC
algorithms; and b) it gets software providers realizing they need to have
their user interfaces adaptable to incorporate more DNSSEC algorithms. (I.e.
to realize the list is NOT fixed and will grow over time.)

As I said in another comment (
[https://news.ycombinator.com/item?id=10553383](https://news.ycombinator.com/item?id=10553383)
) there _is_ a draft out there to add Ed25519 as a DNSSEC algorithm:

[https://tools.ietf.org/html/draft-sury-dnskey-
ed25519-01](https://tools.ietf.org/html/draft-sury-dnskey-ed25519-01)

This draft needs to be approved through the IETF working groups - and then
deployed on both the _signing_ and _validation_ sides of DNSSEC. This will
take quite some time and so we need to start as soon as we can.

------
mike-cardwell
Also of relevance:

[https://www.mail-archive.com/dane-
users@sys4.de/msg00142.htm...](https://www.mail-archive.com/dane-
users@sys4.de/msg00142.html)

Comcast published TLSA records the other day. So when people like myself who
have enabled TLSA in Postfix send email to Comcast users, the SMTP connection
is guaranteed to be both encrypted, and the SSL cert validated.

------
pbreit
I may or may not use Cloudflare's core service but would it still be a
reasonable place to host my DNS entries?

~~~
benjaminl
I am not sure if Clouflare would advocate this use case, but quick DNS is
actually a crucial part of a quick loading site, and it is surprisingly hard
to get reasonably priced high performance DNS. I have been using Cloudflare
just for DNS for my hobby site and it has been working great.

------
ausjke
That's what I want to do: enabled dnssec in dnsmasq and run it on my router.

~~~
jedisct1
Yep, dnsmasq finally supporting DNSSEC is an excellent thing.

Alternative router firmwares such as Tomato Shibby support DNSSEC validation
out of the box, thanks to this.

I wish more and more routers (most of them running dnsmasq) would also do
this.

~~~
rb12345
On recent Ubuntu releases, you can enable DNSSEC resolving by adding the
following to "/etc/NetworkManager/dnsmasq.d/dnsmasq.conf":

    
    
        dnssec
        #dnssec-check-unsigned
        conf-file=/usr/share/dnsmasq-base/trust-anchors.conf
    

Of course, it's possible to strip the signing unless you use Google DNS or
whatever and uncomment the "dnssec-check-unsigned" line.

~~~
jedisct1
Why isn't is enabled by default?

------
jedisct1
A big step towards making the Internet more secure. Kudos to Cloudflare for
the amazing work they did.

