IMO - DNSSEC

Florian Forster
Florian Forster

Founder and CEO

IMO = In My Opinion is a blog format where a author reflects his own opinion

As the release of ZITADEL v2 comes closer, I was working on getting the DNSSEC setups ready for our new domains (besides zitadel.com there are more) and I did wonder how the DNSSEC adoption turns out today?

DNSSEC reputation

I know that DNSSEC has an arguable reputation and this Stack Exchange article sums it up nicely. Although I agree with a lot of the criticism, I also think that one point is over exaggerated. This being the risk of a government entity taking control over the keymaterial of a domain at the registrar level. “Had DNSSEC been deployed 5 years ago, Muammar Gaddafi would have controlled BIT.LY’s TLS keys.”, cited from this article. While this holds true, it does not reflect the fact that even if the keys were managed in a different way that the control of the domain ultimately still resides with the Libyan government's registry. If we follow down this route of argumentation, the single risk we currently all take is the ICANNs control over the whole system. How ICANN counteracts this concern with public and transparent processes can be read in this entertaining article from cloudflare .

Leaving all this aside makes me still think that a second trust anchor to the TLS PKIs is not a bad thing to consider. By separating the keymaterial from TLS and DNS (let's not talk about DANE for now) from each other, brings the additional value of making it difficult (maybe more time consuming) for an attacker to compromise two separated organizations. The “price” to pay for this is reasonable and it provides some small security improvements.

With the additional rise of DNS over HTTP (DoH) and DNS over TLS (DoT), the security of DNS based attacks should improve over time.

How we deploy DNSSEC

For quite a while we were running DNSSEC on our domains hosted with Cloudflare. But with the recent changes in our architecture we wanted to reduce the number of companies that process our traffic, this to reduce risks associated with GDPR. With that said we settled for Google's DNS (Cloud DNS) and registrar (Cloud Domains) because we already run many of our services with Google. If you are interested in what we are using from whom checkout our trust page.

As a side note, running the DNS server with the same provider as the registrar and TLS CA conflicts with my statement above, where I argued that separating those parties might add to the security. But we think reducing the number of sub-processors and companies involved is worth this trade-off.

Who else uses DNSSEC

Out of curiosity I wanted to quickly brush over some of the big providers out there and see if they deploy DNSSEC. Let's say the results are confusing, because there does not seem to be a clear pattern of who deploys DNSSEC.

No DNSSEC deployed

DNSSEC deployed

Discussion

It is interesting to see who did deploy DNSSEC and who didn't. I think some of the tested sites hold off on deploying DNSSEC because they fear a potential user impact on a large audience. Notwithstanding, I think for security oriented services like a login provider it does not exactly feel like a great way to not enable DNSSEC. We think each element we can use to protect our customers is worth looking into. To be honest DNSSEC is definitely not the silver bullet for DNS security but still it is a minor improvement.

Liked it? Share it!