Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

Cloudflare Helps Boost DNSSEC Adoption as Key Rollover Nears

Cloudflare announced on Monday the introduction of a new feature that will allow some users to enable the Domain Name System Security Extensions (DNSSEC) protocol with the click of a button.

Cloudflare announced on Monday the introduction of a new feature that will allow some users to enable the Domain Name System Security Extensions (DNSSEC) protocol with the click of a button.

Cloudflare customers and supported registries can now easily enable DNSSEC from the Cloudflare dashboard. This takes the burden off of website owners, who normally need to manually add a DS record in their account at their registrar.

Data from APNIC shows that many domain owners have attempted to activate DNSSEC, but failed to complete the process. Globally, less than 14 percent of DNS requests have DNSSEC validated by the resolver. Some countries, such as Norway and Sweden, have validation rates of roughly 80%, but China for instance validates less than 1% of requests. The validation rate in the United States is just over 23%.

DNSSEC validation rates

“Locating the part of the registrar UI that houses DNSSEC can be problematic, as can the UI of adding the record itself. Additional factors such as varying degrees of technical knowledge amongst users and simply having to manage multiple logins and roles can also explain the lack of completion in the process. Finally, varying levels of DNSSEC compatibility amongst registrars may prevent even knowledgeable users from creating DS records in the parent,” Cloudflare explained in a blog post.

Cloudflare’s ability to allow customers to easily enable DNSSEC is a result of support for CDS and CDNSKEY records. These mirror the DS and DNSKEY record types and are designed to alert the parent or registrar that a domain wants to enable DNSSEC and have a DS record presented.

“Cloudflare will publish CDS and CDNSKEY records for all domains who enable DNSSEC. Parent registries should scan the nameservers of the domains under their purview and check for these rrsets. The presence of a CDS key for a domain delegated to Cloudflare indicates that a verified Cloudflare user has enabled DNSSEC within their dash and that the parent operator (a registrar or the registry itself) should take the CDS record content and create the requisite DS record to start signing the domain,” Cloudflare said.

DNSSEC key rollover

DNSSEC aims to prevent DNS spoofing attacks, which allow malicious actors to redirect users to their own websites. It does this by cryptographically signing DNS information, and the master crypto key is called a key signing key (KSK).

Advertisement. Scroll to continue reading.

Since keeping a cryptographic key alive for a long period of time is considered a bad security practice given the fact that it could get compromised, the Internet Corporation for Assigned Names and Numbers (ICANN) plans to periodically change the KSK.

This change also requires that network operators update their systems with the new KSK. Failure to do so will result in clients using their DNS resolvers not being able to reach websites and email addresses.

ICANN initially planned a KSK rollover for October 11, 2017. However, as the date approached, the organization determined that many network operators and ISPs were unprepared, which could lead to tens of millions of users going offline. The KSK rollover was pushed back one year and it’s currently set for October 11, 2018, although this date is still pending ratification by the ICANN Board.

ICANN expects the impact of the root KSK rollover to be minimal if it takes place on October 11, but it will still affect a “small percentage” of users, who may not be able to access websites.

A small number of DNSSEC validating resolvers are misconfigured and some of the users relying on these resolvers may experience problems.

Users who rely on resolvers that do not perform DNSSEC validation will not be impacted, and ICANN believes roughly two-thirds of users are in this situation.

Related: NCC Group Releases Open Source DNS Rebinding Attack Tool

Related: Attackers Change DNS Settings of DrayTek Routers

Related: Half a Billion Enterprise Devices Exposed by DNS Rebinding

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

SecurityWeek talks to Billy Spears, CISO at Teradata (a multi-cloud analytics provider), and Lea Kissner, CISO at cloud security firm Lacework.

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.