‹ Back
Deploy360 7 October 2014

CloudFlare Publishes Excellent Introduction To DNSSEC

Dan York
By Dan YorkDirector, Web Strategy & Project Leader, Open Standards Everywhere

CloudFlare logoThe team over at CloudFlare published an excellent introduction to DNSSEC today that is well worth a read.  CloudFlare has developed a reputation for writing blog posts that provide a solid level of technical depth and this one certainly does.  Nick Sullivan starts by walking through the basics of DNS and including some packet captures and nice illustrations. Then he gets into man-in-the-middle (MITM) attacks and provides a great graphic that very succinctly shows a MITM attack against DNS:

CloudFlare MITM example

Even better, Sullivan nicely explains the “Kaminsky Attack” and the situation that makes the attack possible.    He then plunges into DNSSEC, explains RRsets and RRSIGs, ZSKs and KSKs, and touches on the value of NSEC/NSEC3 to prove that records don’t exist.

All in all it is an excellent introduction and we’re very pleased to see CloudFlare publishing this piece.  Thanks to Nick Sullivan and his team for getting this out there!

As we’ve written about before, CloudFlare has been saying since the ICANN 50 DNSSEC Workshop back in July that they would have DNSSEC available for their customers by the end of 2014.  Their post today says “in the next six months”… but we’ll hope it comes in on the sooner side of that. 🙂  It was also great to see the official announcement that CloudFlare has hired Olafur Gudmundsson, one of the developers of the first DNSSEC implementation many, many years ago and currently one of the co-chairs of the DANE Working Group within the IETF.  We’ve been working with Olafur over the past few years through our partnership with Shinkuro, Inc., where he worked before, and we’re delighted that he’s now working on DNSSEC at CloudFlare.

All great to see – and this will only help get DNSSEC much more widely deployed!

If you want to get started with DNSSEC today, please visit our Start Here page to find resources targeted at your role or type of organization. Help us make the Internet more secure today!

P.S. Have you checked out our new DNSSEC Fact Sheet in English, French and Spanish?

‹ Back

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

CloudFlare Writes About DNSSEC Complexities And Considerations
Deploy3607 November 2014

CloudFlare Writes About DNSSEC Complexities And Considerations

The folks over at CloudFlare published another great article earlier this week, "DNSSEC: Complexities and Considerations" that dives into more...

CloudFlare Re-affirms Goal of DNSSEC Support By End of 2014
Deploy36026 September 2014

CloudFlare Re-affirms Goal of DNSSEC Support By End of 2014

Over on ThreatPost, Dennis Fisher wrote about "Small Signs Of Progress On DNSSEC" reporting on a presentation by CloudFlare's Nick...

CloudFlare Wants To Update DNS Registration Model To Automate DNSSEC
Deploy3605 February 2015

CloudFlare Wants To Update DNS Registration Model To Automate DNSSEC

Over on the CloudFlare blog today, Olafur Gudmundsson wrote a lengthy post titled "Updating the DNS Registration Model to Keep...

Join the conversation with Internet Society members around the world