DNSSEC in a click: Cloudflare tries to crack uptake inertia

Meanwhile global key rollover is confirmed for October 11

DNS toolkit

Cloudflare is offering DNSSEC in a single click.

The content delivery network (CDN) company has included the option to add the security protocol to your domain name through its dashboard in a single, simple form. The goal, the biz said on Tuesday, is increased adoption.

Cloudflare won't be charging for the service, its systems engineer Vicky Shrestha and product manager Sergi Isasi noted, including a poke at the world's largest registrar GoDaddy for charging for the upgrade.

"Our stance here is clear: DNSSEC should be available and included at all DNS operators for free," the post says.

DNSSEC is an important security protocol that sits on top of the existing domain name system and provides a critical level of assurance that traffic comes from where it says it does, making it much harder for someone to carry out a man-in-the-middle attack.

But despite a big push a decade ago, when security researcher Dam Kaminsky uncovered a serious flaw in the DNS, and despite DNS overseer ICANN requiring all new top-level domains to provide DNSSEC, adoption is still pitifully low: just 14 per cent of DNS requests are validated using the protocol.

A pathetic 3 per cent of the Fortune 1000 largest corporations have signed their main websites with the DNSSEC.

Worse, adoption appears to have flattened out, in large part because DNS providers don't see much of an upside to offering it. It can be a difficult and sometimes costly rollout and very few people are willing to pay for the service.

Shake-up

In some respects it is like IPv6 - a critical internet protocol that everyone knows they need to update to at some point but endlessly put off because it will cost time and money and there is no urgent need for it.

Cloudflare hopes to shake up that complacency by offering DNSSEC in an extremely easy fashion. It has adopted the official RFC and provides full support for CDS and CDNSKEY, removing the need for someone to login and upload a DS record.

Of course, your domain would still need both the registry and registrars to handle DNSSEC. If it doesn't, Cloudflare prods, then simply take your business elsewhere.

"If you are on a service that does not support DNSSEC, we encourage you to switch to one that does and let them know that was the reason for the switch," it states bluntly.

According to regional internet registry APNIC, another issue is that 40 per cent of people that actually go to the trouble or trying to add DNSSEC to their domain give up part way through. And Cloudflare has created a graphic showing completion rates through its system for different registries. It's pretty depressing.

What's the problem? Cloudflare pins the blame squarely on the registrars' horrible user interfaces: "This end result is likely not surprising to anyone who has tried to add a DS record to their registrar. Locating the part of the registrar UI that houses DNSSEC can be problematic, as can the UI of adding the record itself."

Plus adding DNSSEC sometimes requires multiple logins and there is not a single clear method across the industry of implementing DNSSEC.

So Cloudflare's system is designed to remove some of those barriers: it will publish CDS and CDNSKEY records for all domains that use its service so registries can access them in a single place, allowing for some degree of automation. It highlights the registries and registrars that will work with the system.

We're not great fans of product reviews at The Register but when pretty much every internet engineer in the planet urges people to add DNSSEC to their domain, and no one seems to be doing much about it – or, at least, to actively push adoption – then we're behind it. Especially anything that makes it easier.

Key rollover

Talking of which, the long-delayed update of the internet's Key Signing Key (KSK) to a lengthier, and hence more secure, 2048-bit RSA key has been confirmed as happening on October 11.

Last September – almost exactly a year ago – DNS overseer ICANN announced it was postponing a planned rollover the following month over fears that as many as 60 million people could be forced offline.

The KSK acts as an anchor for the global internet. It builds a chain of trust from the root zone down through the whole domain name system so that DNS resolvers – software that turns addresses like theregister.com into network addresses like 159.100.131.165 – can verify they're getting good valid results to their queries.

Internet engineers knew that introducing a longer key pair would cause some old and poorly configured systems to throw out errors and so planned a slow rollout, starting back in May 2016.

But just weeks out from the planned rollover, data gathered on the likely impact revealed that more than half of the internet's root servers were reporting a large number of validators on the internet – between 5 and 8 per cent – only had a 2010 version of the KSK key in their systems, as opposed to reporting both the 2010 and 2017 version.

That meant that people relying on those systems could find themselves effectively booted off the internet. So ICANN decided to postpone it. Well, 12 months later it is back on track, seemingly more confident that there won't be an internet Armageddon and is planning to carry out the change on the same day: October 11 at 1600 UTC.

Hopefully the impending deadline – and Cloudflare's simple one-click DNSSEC approach - will spark registries and registrars to reassess and update their systems so the overall domain name system is more secure. Here's hoping, huh? ®




Biting the hand that feeds IT © 1998–2018