DNSSEC: Complexities and Considerations

This blog post discusses some complications associated with Domain Name System Security Extensions (DNSSEC), an extension to the Domain Name System (DNS) that provides a system of trust for DNS records. The main issues are zone content exposure, key management, and the impact on DNS reflection/amplification attacks. Zone content exposure occurs when enabling DNSSEC may expose otherwise obscured zone content. Key management is another concern as DNSSEC was designed to operate in various modes, each providing different security, performance, and convenience tradeoffs. Lastly, operators running an authoritative DNS server are often nervous their server will be used as a conduit for malicious distributed denial of service (DDoS) attacks due to the fact that DNS uses UDP, a stateless protocol. CloudFlare is working on solutions to address these issues and reduce any negative impact they might have.