Cloudflare is expanding the adoption of DNSSEC by allowing users to enable it with the click of a button in the Cloudflare dashboard.
The DNSSEC (Domain Name System Security Extensions) is a security technology used to protect against cyberattacks by proving authenticity and integrity of a response from the nameserver. It makes the things difficult for bad actors to inject malicious DNS records into the resolution path through cache poisoning and BGP route leaks.
For example, the DNSSEC can prevent malicious actors from obtaining fraudulent certificates for a domain.
However, the adoption of DNSSEC has remained a pain point because of complications and costs. Only 14% of DNS requests had DNSSEC validated by a recursive resolver, according to APNIC. Cloudflare blames the default DNS providers for the low DNSSEC validation.
The website owners aren’t aware that the DNS (system to translate web addresses into IP addresses) is vulnerable to cyberattacks. It can be attacked and compromised by hackers to send users to malicious websites.
DNSSEC aims to address these issues by providing end-to-end validation of requests— from devices to the web server of the site. This makes the things far tougher for attackers to spoof.
Websites have found it difficult to adopt DNSSEC also because they needed to login to their registrar for uploading a DS record. Cloudflare will change that by allowing users set up DNSSEC on supported registries with a click in the Cloudflare dashboard.
Initially, Gandi will support the one-click DNSSEC setup. Cloudflare will add more registries for support and expand the adoption further.
Users can check whether their resolver supports DNSSEC by visiting brokendnssec.net in the browser. If the page loads, they are not protected by a DNSSEC validating resolver and need to switch the resolver.
Cloudflare’s new move will increase the adoption of DNSSEC. It might take time, but so did HTTPS protocol.