I’ve been evaluating a number of DDOS mitigation & CDN providers; most of them unfortunately via sales talks and online information sources which gives a restricted view of their capabilities.
CF is one of the very few that actually allow you to test their platform. So I added a domain name and enabled DNSSEC; downloaded the DS, uploaded it to my registrar and indeed look & behold everything works. Except for one thing… I have NSEC support but no NSEC3 support.
I’ve been digging into the different Help Centers, the fora and even Google, but alas, I cannot find if NSEC3 is actually supported and if so, how to activate it.
Now, I hope I haven’t overlooked it. Does anyone have an idea if:
We don’t. More information can be found in these articles about why we didn’t and how we perform similar functions without the downsides of other approaches:
Thanks! Interesting read on DNSSEC Complexities and I must say CF’s approach might sound unorthodox, I do see the advantages of doing the things this way. One of the traditional amplification attacks is to query an auth NS with non-existing names which generate huge responses in a NSEC3 implementation. Even RRL (Response Rate Limiting) cannot weed out this type attacks. As a result the auth NS will generate a perfect payload for a potential target. At the time of implementing DNSSEC some years ago, I did state to a number of people that DNSSEC would be a perfect weapon of mass amplification and not necessarily bring the increased security it was supposed to bring.