/plushcap/analysis/cloudflare/dnssec-done-right

DNSSEC Done Right

What's this blog post about?

The blog post discusses the author's experience with DNSSEC and his decision to join CloudFlare. He explains that DNSSEC is a protocol providing integrity protection for answers from authoritative servers, and its design has evolved over time. Widespread deployment of crucial building blocks for DNSSEC has been achieved, but more needs to be done in terms of signing enterprise zones and enabling validation in resolvers and clients. The author joined CloudFlare because they wanted to do things correctly from the beginning and were not afraid to innovate. He highlights some unique aspects of their DNSSEC implementation, such as generating signatures at the edge on demand, using ECDSA P-256 for stronger and smaller signatures, and a special approach to negative answers that provides better defense against zone walking. The announcement regarding CloudFlare's alpha DNSSEC support is the first step towards providing comprehensive DNSSEC offerings to their customers.

Company
Cloudflare

Date published
Jan. 29, 2015

Author(s)
Ólafur Guðmundsson

Word count
1082

Language
English

Hacker News points
11


By Matt Makai. 2021-2024.