DNSSEC Done Right

The blog post discusses the author's experience with DNSSEC and his decision to join CloudFlare. He explains that DNSSEC is a protocol providing integrity protection for answers from authoritative servers, and its design has evolved over time. Widespread deployment of crucial building blocks for DNSSEC has been achieved, but more needs to be done in terms of signing enterprise zones and enabling validation in resolvers and clients. The author joined CloudFlare because they wanted to do things correctly from the beginning and were not afraid to innovate. He highlights some unique aspects of their DNSSEC implementation, such as generating signatures at the edge on demand, using ECDSA P-256 for stronger and smaller signatures, and a special approach to negative answers that provides better defense against zone walking. The announcement regarding CloudFlare's alpha DNSSEC support is the first step towards providing comprehensive DNSSEC offerings to their customers.