At Cloudflare, we’re excited about making the Internet safer through the mass deployment of our recently deployed DNSSEC implementation. Cloudflare Universal DNSSEC provides authentication to an otherwise insecure DNS, preventing man-in-the-middle attacks and giving visitors assurance that their connection is safely routed to the right server.
Because trust in DNSSEC is top-down (The root zone verifies the .com zone, and the .com zone verifies the cloudflare.com zone, and so forth), enabling DNSSEC requires a website owner to update the DS record with you, the registrar.
This part is problematic—copying and pasting the DS record opens up the possibility of human error, and adds a layer of complexity for less-savvy users. We want to make DNSSEC as easy to deploy as possible.
If Cloudflare could communicate directly with the registrar or registry, we could activate DNSSEC for every website on Cloudflare automatically and manage their keys without human intervention.
As part of our DNSSEC rollout, we published an Internet Draft alongside CIRA, the .ca registry, proposing a protocol for DNS operators like Cloudflare to do just that: communicate with registrars and registries to automate DNSSEC management.
Several registries are already planning on adding support, such as NIC Chile (.cl) and eNIC (.ee). If you work for a registrar or registry and are interested in learning more, getting involved in developing the protocol, or adding an integration with Cloudflare, get in touch by emailing dnssec-integration@cloudflare.com
Set up a domain in less than 5 minutes. Keep your hosting provider. No code changes required.