The team over at CloudFlare published an excellent introduction to DNSSEC today that is well worth a read. CloudFlare has developed a reputation for writing blog posts that provide a solid level of technical depth and this one certainly does. Nick Sullivan starts by walking through the basics of DNS and including some packet captures and nice illustrations. Then he gets into man-in-the-middle (MITM) attacks and provides a great graphic that very succinctly shows a MITM attack against DNS:
Even better, Sullivan nicely explains the “Kaminsky Attack” and the situation that makes the attack possible. He then plunges into DNSSEC, explains RRsets and RRSIGs, ZSKs and KSKs, and touches on the value of NSEC/NSEC3 to prove that records don’t exist.
All in all it is an excellent introduction and we’re very pleased to see CloudFlare publishing this piece. Thanks to Nick Sullivan and his team for getting this out there!
As we’ve written about before, CloudFlare has been saying since the ICANN 50 DNSSEC Workshop back in July that they would have DNSSEC available for their customers by the end of 2014. Their post today says “in the next six months”… but we’ll hope it comes in on the sooner side of that. It was also great to see the official announcement that CloudFlare has hired Olafur Gudmundsson, one of the developers of the first DNSSEC implementation many, many years ago and currently one of the co-chairs of the DANE Working Group within the IETF. We’ve been working with Olafur over the past few years through our partnership with Shinkuro, Inc., where he worked before, and we’re delighted that he’s now working on DNSSEC at CloudFlare.
All great to see – and this will only help get DNSSEC much more widely deployed!
If you want to get started with DNSSEC today, please visit our Start Here page to find resources targeted at your role or type of organization. Help us make the Internet more secure today!