網域名稱系統 (DNS) 就如同網際網路的電話簿:這告訴電腦向哪裡發送資訊,以及從哪裡檢索資訊。可惜的是,這也接受網際網路提供的任何位址,而不會進行任何詢問。
電子郵件伺服器使用 DNS 路由郵件,這意味著它們容易受到 DNS 基礎結構的安全性問題影響。2014 年 9 月,CMU 的研究人員發現,本應透過 Yahoo!、Hotmail 和 Gmail 伺服器發送的電子郵件變成透過流氓郵件伺服器發送。攻擊者利用了網域名稱系統(DNS)中一個已存在數十年之久的漏洞,即接受應答前不會檢查憑據。
這個問題的解決方案是一種名為 DNSSEC 的協議。通過提供身份驗證,這種協議在 DNS 之上增加了一個信任層。在某個 DNS 解析器查找 blog.cloudflare.com 時,.com 名稱伺服器幫助解析器驗證針對 cloudflare 傳回的記錄,而 cloudflare 幫助驗證針對 blog 傳回的記錄。根 DNS 名稱伺服器幫助驗證 .com,而根伺服器發佈的資訊將透過一個徹底的安全性程序 (包括「Root-Signing 儀式」) 進行審核。
Similar to HTTPS, DNSSEC adds a layer of security by enabling authenticated answers on top of an otherwise insecure protocol. Whereas HTTPS encrypts traffic so nobody on the wire can snoop on your Internet activities, DNSSEC merely signs responses so that forgeries are detectable. DNSSEC provides a solution to a real problem without the need to incorporate encryption.
Cloudflare’s goal is to make it as easy as possible to enable DNSSEC. All Cloudflare customers can add DNSSEC to their web properties by flipping a switch to enable DNSSEC and uploading a DS record (which we'll generate automatically) to their registrar.: Learn more about how to get DNSSEC.
We’ve also published an Internet Draft outlining an automated way for registries and registrars to upload DS records on behalf of our customers. This will enable Cloudflare to automatically enable DNSSEC for our entire community. Stay tuned for updates.