DNSSEC & Cloudfare websites

When I enable DNSSEC, some sites fail to resolve, I contacted staff on one of them asking to check what was up, and confirmed that DNSSEC was enabled and working their end, but was given this info about Cloudfare sites and advised to let you guys know


ECDSA is not without its trade-offs. According to Roland van Rijswijk-Deij et al., only 80% of resolvers support ECDSA validation. This number is growing, but it means that if we switched the entire DNSSEC Internet onto ECDSA right now, DNSSEC validation would fail for millions of Internet users everyday and fall back to returning unverified DNS records.

Furthermore, while ECDSA signature creation is faster than RSA, signature validation is actually much slower. Roland van Rijswijk-Deij et al. showed that, even with the ECDSA optimizations that we contributed to OpenSSL, ECDSA is still 6.6 times slower than 1024-bit RSA (which is the most common algorithm used for zone-signing keys). This is a serious problem, because overloading DNS resolvers could potentially slow down the entire Internet.

EDIT - I'm told that we can't access some websites because they're using algorithm 13 (ECDSA). Websites like pingdom will give you a non-working result where as websites such as dnsviz will give you a working result.

Working:
http://dnsviz.net/d/4chan.org/responses/

Not working
http://dnscheck.pingdom.com/about.php?domain=4chan.org

If you are running this on a pi, using raspbian jessie lite, read on.
I detected this, explained here, entry of 27 jan or here.
Fortunately, I found a solution (for raspbian jessie lite, with dnsmasq v2.72). You can find it here (entry of 29 jan).

Again, WARNING: Don't do this if you're not willing to run anything else but the stable build!!!

1 Like

If you are running raspian jessie lite and upgraded dnsmasq, as explained here, you may still get a lot of INSECURE and some BOGUS or ABANDONED validation results. I know I do. I've already raised this here, but I'm not getting any response, therefore, I continued to investigate.
I found a discussion on a dutch forum, discussing the problems with DNSSEC and read about a great site that not only validates DNSSEC, but also shows a lot of detailed information.
I'm also using this site (the page should NOT load if DNSSEC is working), this site, and of course this site (from the pi-hole settings page).

I can only speak for myself, but I'm currently out of the capabilities to test DNSSEC (I'm forced to use specific DNS servers which have no DNSSEC capability). Hence, I cannot do further testing. Users should not use DNSSEC if it is causing problem for them. I see it as simple as that. It is equally fast disabled as enabled.

Apologies, I may have of left a wrong impression. I don't think it is mandatory for the developers to respond on every topic. I meant to say that It looks to me that nobody is using DNSSEC, OR they are not looking at the logs, OR they don't understand (neither do I) what is going on. Before I decide to either use or dump DNSSEC, I just want to know what other users are experiencing, and what they think of it.
So I should of used a different statement, again apologies.

No worries. I think you misread my answer. There was (or there should have been) no sign of anger or something like that.

That is a highly appreciated point of view you are having there and we can only support that. You did a great job so far providing information on how to get the latest version of dnsmasq for others who are willing to do this. But still DNSSEC is a rather intense thing and should be used with care. Even if I could use it (as in if I could chose which DNS server I want to use) I would not use DNSSEC myself, because I anticipated the problems you were actually seeing.

I'm sorry if my words sounded harsh, but I really only wanted to say that users are free to experiment but that especially DNSSEC is something that can severely limit your overall internet experience.