DNSSEC
How it works with Cloudflare
Cloudflare hosts my DNS. It provides me a simple interface for management, 2FA for login and acts as a CDN. So it was an easy choice years ago to move DNS there.
Since I’ve been thinking about DNS a lot lately I decided to see if I could setup DNSSEC for my own domain.
It took my about 5 minutes.
In Cloudflare - under DNS, hit the button to Setup DNSSEC. It will generate the required details to add to your Domain Registrar.
In my case I had to provide 4 values to my Registrar.
BEFORE YOU HIT THE BUTTON - check out this link https://support.cloudflare.com/hc/en-us/articles/360006660072 You are specifically looking to see if your Domain Registrar is in the table under Step 2.
Your Registrar might not support the cipher that Cloudflare has chosen to use - number 13, ECDSA CURVE P-256 with SHA256 - so it won’t be in the list. You can contact your current Registrar and see if they will add support or you can transfer your domain. Although, some Top Level Domains (TLDs) don’t support it, here is a list, so you might not have much choice there.
Since my Registrar was on the list, I could follow the link to the Registrar’s KB article on setting it up.
There were two things that weren’t well communicated. The fields presented by my Registrar didn’t exactly match the names provided by Cloudflare.
For the “Algorithm” Cloudflare only listed 13
, but my registrar had 13. ECDSA Curve P-256 with SHA-256
. This was one of 13 different options, all similarly specific. e.g. 2. Diffie-Hellman
or 3. DSA/SHA1
. I figured it out pretty quick but I had to check the Cloudflare help to confirm I was picking the correct option.
The other “mismatch” was Cloudflare listed “Digest Type”, but my Registrar had “Digest Algorithm”. This one was easier to figure out because there were only 4 options presented by my Registrar.
Little things like this can make it harder to setup, I’m pretty familiar with the cipher algorithm options - I was doing a lot of PKI stuff earlier this year and late last year - so this isn’t foreign to me, but I can see this being a stumbling block for other people. It would be a lot of documentation writing to map out all the possible field names from all the different Domain Registrars and DNS Hosters, so I can see gaps like this existing for a while. It would be nice if the industry decided to agree on what to call these details - and probably there are recommendations to that affect in the relevant RFCs, but because this was so easy for me, I didn’t have to go read them.
Testing
Once I got all the values from Cloudflare into my Registrar, I need to confirm that this has done… something.
So I went to DNSViz and put in my website URL, and was presented a nice hierarchical graph of the domain tree with a lot of detail.
Another nice tool is DNSSEC-Analyzer from Verisign Labs. It presents the hierarchy as well, but in boxes, with all the various checks (either Green, Yellow, or Red)
Summary
This was actually very simple for me to setup, because both my DNS Hoster and Domain Registrar support it and support common algorithms. It did take a small amount of poking around, but was still so easy I should have done it ages ago.
Do you have a Domain? Have you setup DNSSEC? How did you find the process?