Looking for references of NSEC3 support

dnssec

#1

I’ve been evaluating a number of DDOS mitigation & CDN providers; most of them unfortunately via sales talks and online information sources which gives a restricted view of their capabilities.

CF is one of the very few that actually allow you to test their platform. So I added a domain name and enabled DNSSEC; downloaded the DS, uploaded it to my registrar and indeed look & behold everything works. Except for one thing… I have NSEC support but no NSEC3 support.

I’ve been digging into the different knowledge bases, the fora and even Google, but alas, I cannot find if NSEC3 is actually supported and if so, how to activate it.

Now, I hope I haven’t overlooked it. Does anyone have an idea if:

  1. Cloudflare support NSEC3?
  2. How to activate it?
  3. Or is it part of the paying packages?

thanks a lot.

Dirk


#2

We don’t. More information can be found in these articles about why we didn’t and how we perform similar functions without the downsides of other approaches:


#3

Thanks! Interesting read on DNSSEC Complexities and I must say CF’s approach might sound unorthodox, I do see the advantages of doing the things this way. One of the traditional amplification attacks is to query an auth NS with non-existing names which generate huge responses in a NSEC3 implementation. Even RRL (Response Rate Limiting) cannot weed out this type attacks. As a result the auth NS will generate a perfect payload for a potential target. At the time of implementing DNSSEC some years ago, I did state to a number of people that DNSSEC would be a perfect weapon of mass amplification and not necessarily bring the increased security it was supposed to bring.