CloudFlare drinks the DNSSEC kool-aid, offers it on universal basis

CloudFlare has rolled out Universal DNSSEC, despite widespread controversy alleging it would provide an excellent platform from which intelligence agencies could spy upon and intercept global internet traffic.

Universal DNSSEC will be available to CloudFlare customers for free. The company announced that it will do "all the heavy lifting by signing your zone and managing the keys ... All you need to do is enable DNSSEC in your CloudFlare dashboard and add one DNS record to your registrar."

The CDN and DNS flogging company claimed "DNSSEC guarantees a website’s traffic is safely routed to the correct servers so that a site’s visitors are not intercepted by a hidden 'man-in-the-middle' attacker."

DNSSEC, or DNS Security Extensions, is certainly a countermeasure against DNS cache-poisoning attacks, such as those famously highlighted by security researcher Dan Kaminsky back in 2008.

It uses cryptographic checks to make sure that IP results returned by a DNS query point to the corresponding domain name.

The technology, however, remains highly contentious. Earlier this year, we reported on the ongoing debate regarding DNSSEC. While CloudFlare has provided arguments in defence of its use, onlookers have remained unquiet.

CloudFlare has attempted to explain how DNSSEC works, the root-signing ceremony, how it will "solve the final hurdles for widespread DNSSEC adoption by using elliptic curve cryptography, the complexities that the protocol involves, and DNSSEC's usefulness for registars.

Is anyone at all confused about why Cloudflare wants you invested in DNSSEC? Their job is to convince you to let them run your infra.

— Thomas H. Ptacek (@tqbf) November 10, 2015

Allegations regarding DNSSEC's ability to help nosey intelligence agencies were levelled by Thomas Ptacek, founder of Matasano Security, earlier this year. Ptacek's blogpost alleged that DNSSEC was unnecessary, a government-controlled public key infrastructure, cryptographically weak, expensive to adopt, expensive to deploy, unsafe, incomplete, and architecturally unsound.

Ptacek also stated that "DNSSEC doesn't have to happen."

If you’re running systems carefully today, no security problem you have gets solved by deploying DNSSEC. But lots of other problems — software maintenance, network operations, user support, protecting your secrets from NSA/GCHQ — get harder.

It is not only CloudFlare disagreeing with Ptacek, however. Zachary Lym, the lead UX engineer at Namecoin, wrote in response that "DNSSEC is vital to the security of the internet" and offered a counterpoint to each of Ptacek's claims.

CloudFlare has stated that "Universal DNSSEC is designed to work seamlessly with all other CloudFlare security and performance features, including Universal SSL, a global CDN, and automatic web content optimisation." ®