Josh Lamb
launched
Hello Voters!
We have officially released DNSSEC Support. You can utilize this by sending traffic to our Anycast IPs, ending in .9 (103.247.36.9 and 103.247.37.9)
As Mike Schroll noted in a post on this thread, there are a couple challenges with DNSSEC support:
- Low internet adoption - A large amount of domains on the internet do not have DNSSEC validation setup on their end.
- DNSSEC outages - Many domains which support DNSSEC have experienced outages of several days or weeks.
Because of this, we encourage people to use this feature only if they understand the inherent risks.
Mike Schroll
in progress ( live <90 days )
We're currently testing OPTIONAL DNSSEC Support - To be implemented via one of two means:
1) Validating recursor on your end which forwards to DNSFilter
2) Using Specific DNSFilter IPs which perform DNSSEC Validation on our end.
We'll provide a lot of documentation around this to explain all the challenges with DNSSEC in general.
Mike Schroll
open
Joel
With this announcement by Cloudflare this last week:
and with this post being from around 7 months ago, do you have any update on progress with DNSSEC support Ken Carnesi ?
Mike Schroll
Joel: Hi Joel. As noted in the Cloudflare article... the problem with DNSSEC is low (proper) adoption. If we enable DNSSEC... any domain which has not set it up properly will now fail to resolve.
You can see the list here: https://ntldstats.com/dnssec
That's currently 2829 domains
and they're not small, obscure domains. See the list of well known failures here: https://ianix.com/pub/dnssec-outages.html
At this time, turning on DNSSEC would 'break' many parts of the Internet for our customers, causing them to perceive our service as inferior to competitors who don't have DNSSEC enabled, and can successfully resolve all domains.
There should be more discussion around whether this is something we could have as something customers could toggle on, on a per-account basis -- with plenty of warnings, and perhaps some additional tools so customers can easily test if a domain is failing to resolve due to invalid DNSSEC (maybe we could even have a reporting view which shows how many lookups failed to return answers due to bad DNSSEC).
Finally, we've not done extensive testing, but there may be conflicts between what our service does, and DNSSEC -- since we are overriding answers. Especially if a customer enabled DNSSEC validation on a caching forwarder on their prem, which forwards to us... It will break when a domain goes from allowed to blocked; as it will think we're doing a MITM, and no answer will be returned (no block page shown).
Ken Carnesi
Joel: thanks for writing in, I mentioned it to Mike Schroll and it looks like he did a good job answering above!
Ken Carnesi
up next2