Problems integrating new 'one-click' DNSSEC w/ Cloudflare

dnssec

#1

Hi,

I tried enabling DNSSEC and Cloudflare is telling me that the configuration was successfully completed. Upon running a check with Pingdom’s DNS Checker, it came up with a number of issues with the DNSSEC Keys: http://dnscheck.pingdom.com/?domain=the-photographyblog.com&timestamp=1537350362&view=1

Anyone had these issues before? Hope this helps the entire community…


#2

No problems here: https://dnssec-debugger.verisignlabs.com/the-photographyblog.com and http://dnsviz.net/d/the-photographyblog.com/dnssec/ are all green. I think pingdom’s tool hasn’t been updated in a long time and doesn’t know about ‘Algorithm number 13’ which is an algorithm used for signing DNSSEC records.

Algorithm 13 is ECDSA-P256-SHA256 (ECDSA Curve P-256 with SHA-256) [1]

[1] https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml

PS. You can see which algorithms your resolver supports: https://rootcanary.org/test.html


#3

Do you also have any idea how to configure DNSSEC for .ch domains? It seems that it’s not possible due to some sort of limitation…


#4

Hm, http://stats.research.icann.org/dns/tld_report/ tells you that the zone is signed (search for ch.)

Your registrar needs add DNSSEC support for the ch zone. I’m not sure but I think only only a small number of registrars have added support for the ch. TLD (top level domain). I don’t think there is a technical reason but I would ask you registrar. Cloudflare doesn’t care which TLD DNSSEC is enabled for, it just signs the zone.

DNSSEC Adoption has been very slow, for example NameCheap only supports 14 TLDs out of the 1392 (from the 1st link as of 2018-09-22 00:02:08): https://www.namecheap.com/support/knowledgebase/article.aspx/9718/2232/nameservers-and-tlds-supportedunsupported-by-dnssec

Some stats on the number of signed domains in the ch. zone: https://www.nic.ch/statistics/dnssec/


#5

Alright, so the issue lies with the registrar then. That must be the problem, because I am with NameCheap at the moment…


#6

Not sure if you want to continue to enable dnssec for the ch domain but Google domains and now recently Cloudflare could be good options in the future
https://blog.cloudflare.com/cloudflare-registrar/

Note I did not take the time to look if they support the ch tld.

Others that you could look at are Hover and Gandi.