Cloudflare to Enable Customers Increase DNS Security with Easier DNSSEC Activation

With the new option, the company aims to facilitate the adoption of the DNSSEC extension, making its customers less vulnerable to hacking attacks.

Photo: Cloudflare Blog

Photo: Cloudflare Blog

Cloudflare, the US-based company offering content delivery network services, has announced its customers will now be able to install DNSSEC in just a single click in their dashboard. The move, the company said in a blog post, will help to drive the adoption of DNSSEC, the technology that ensures security of DNS data using public key cryptography and digital signatures.

DNS is the key component of the modern Internet that provides a way of connecting domain names to IP addresses. When the protocol was invented in the early 1980s, it lacked strong security mechanisms, the network was much smaller and machines were less powerful comparing to today’s computers. Little has changed since then as DNS remains an insecure protocol with multiple vulnerabilities which can be easily exploited by hackers.

DNSSEC is a security tool that can prove authenticity and integrity of the DNS data, ensuring users are visiting the appropriate website. It is a powerful way to prevent the risk of DNS security vulnerabilities, protecting users from being redirected to a malicious destination that they didn’t request.

Obstacles to Wider Adoption

Despite it is almost a decade since the first publication of DNSSEC, it’s still far from the mainstream usage. Globally, less than 14% of all DNS requests are validated using the extension, according to data from APNIC. Also, only 3% of the Fortune 1000 largest corporations have set up the protocol to their domains.

The reason for the low adoption is high cost of the service rollout. Some big DNS operators don’t yet support it and charge enormous rates for the extension. As a result, very few domain owners are ready to pay for it.

“The blame here falls on the shoulders of the default DNS providers that most devices and users receive from DHCP via their ISP or network provider,” the company said.

In some countries, APNIC shows, DNSSEC validation is more than 80%, while in most regions it is still under 10%. In the US, 23% of requests are validated by the protocol.

Another issue highlighted by APNIC is that 40% of those who attempted to add DNSSEC to the domain name failed to complete it. Cloudflare says it is because of the registrars’ “horrible user interfaces.” Besides, there is no single method for the DNSSEC installment.

“This end result is likely not surprising to anyone who has tried to add a DS record to their registrar. Locating the part of the registrar UI that houses DNSSEC can be problematic, as can the UI of adding the record itself,” Cloudflare noted.

“Additional factors such as varying degrees of technical knowledge amongst users and simply having to manage multiple logins and roles can also explain the lack of completion in the process. Finally, varying levels of DNSSEC compatibility amongst registrars may prevent even knowledgeable users from creating DS records in the parent.”

Cloudflare Solution

Cloudflare addresses these problems by offering the web security standard for free. “Our stance here is clear: DNSSEC should be available and included at all DNS operators for free,” the post reads.

To make the process less complex, Cloudflare has adopted the official RFC and will provide full support for CDS and CDNSKEY for all Cloudflare managed domains that set up DNSSE, thus eliminating the need to login and upload a DS record.

Aimed at making the Internet better, Cloudflare has recently announced its “Crypto Week” project.  Every day of the week the company will unveil a new technology that uses cryptography and the first technology introduced is a portal that provides an access to the InterPlanetary File System (IPFS).

 

We welcome comments that advance the story directly or with relevant tangential information. We try to block comments that use offensive language, all capital letters or appear to be spam, and we review comments frequently to ensure they meet our standards. Views expressed in the comments do not represent those of Coinspeaker Ltd.