When you launch your domain to the world, you rely on the Domain Name System (DNS) to direct your users to the address for your site. However, DNS cannot guarantee that your visitors reach your content because DNS, in its basic form, lacks authentication. If someone was able to poison the DNS responses for your site, they could hijack your visitors' requests.
The Domain Name System Security Extensions (DNSSEC) can help prevent that type of attack by adding a chain of trust to DNS queries. When you enable DNSSEC for your site, you can ensure that the DNS response your users receive is the authentic address of your site.
We launched support for DNSSEC in 2014. We made it free for all users, but we couldn’t make it easy to set up. Turning on DNSSEC for a domain was still a multistep, manual process. With the launch of Cloudflare Registrar, we can finish the work to make it simple to enable for your domain.
You can now enable DNSSEC with a single click if your domain is registered with Cloudflare Registrar. Visit the DNS tab in the Cloudflare dashboard, click "Enable DNSSEC", and we'll handle the rest. If you are not on Cloudflare Registrar, you can read more about transferring your domain here.
A quick introduction to DNSSEC
The Domain Name System (DNS) translates a site’s domain name, like cloudflare.com, to the address of the server hosting that site. When users request your website, their browser starts with a DNS query to find that IP address.
The query first asks the Internet root servers to locate the servers responsible for the top-level domain (TLD). In the case of .com, those servers are managed by the registry Verisign. Verisign then finds the authoritative nameservers for that particular domain and requests the IP from them. If you use Cloudflare for your site’s DNS, Cloudflare manages those nameservers and we respond with an anycast IP for your site, which is ultimately returned to your visitor.
DNS assumes each request in that chain can be trusted, but the protocol does not actually verify the response. That presumption leaves the series of requests vulnerable to attack. In that scenario, an attacker poisons the responses for your site with directions to a malicious one. Instead of arriving at your webpage, your visitors are directed to a site that can be used for phishing or other malicious purposes. To solve that problem, a layer is needed to verify that each response can be trusted.
DNSSEC builds that trust by adding cryptographic signatures to each handoff in the relay. Those signatures establish a chain of trust from the authoritative nameservers, through the TLD server, and all the way to the root servers of the Internet. Your visitors’ DNS resolver can validate that the IP address returned for your domain name was provided by the authentic source.
Expanding DNSSEC adoption with Cloudflare Registrar
We began advocating for DNSSEC in 2014 and launched beta support in 2015. We’re committed to expanding its adoption on the internet. However, we’ve only been able to provide DNSSEC for your domain when you completed a series of manual actions. To make DNSSEC ubiquitous, we first have to make it easy to enable like we did for one-click SSL.
Historically, enabling DNSSEC required you to generate a DS record from a service like Cloudflare, copy it down, and then save it to your registrar so they could send it to your registry. That’s tedious. We can now remove those steps for you. When Cloudflare is your registrar, we can automatically apply DNSSEC through our support for CDS and CDNSKEY.
Instead of asking you to save the records yourself, Cloudflare Registrar automatically scans available DS records (and validates them) for domains that use our nameservers. When we notice that you have DNSSEC enabled, we grab the details and send it to the registry for you.
To turn on DNSSEC, navigate to the DNS tab for your domain in the Cloudflare dashboard. In the DNSSEC card, select “Enable” and that’s it. We’ll handle the rest. Your records will be set in the next 24-36 hours. It’s free, it’s one-click, and it helps secure your site.
If you have started transferring your domain to Cloudflare registrar, you can use the one-click DNSSEC feature as soon as the transfer completes. If you already have DS records for your domain, the domain transfer will protect the DS record and make sure it’s still current after the transfer.
While this feature removes some of the chore to enable DNSSEC, we’re committed to removing any hurdle to making the Internet safer. We’re working on supporting DNSSEC by default for sites on Cloudflare. We have some work to do to reach this goal, but we’re excited to help make DNSSEC the new normal.
Interested in helping us with that work? Visit the Cloudflare jobs page here to join our team.