域名系统(DNS)就如同互联网的电话簿:它告诉计算机向哪里发送信息,从哪里检索信息。可惜的是,它也接受互联网提供给它的任何地址,而不会进行任何询问。
电子邮件服务器使用 DNS 路由邮件,这意味着它们容易受到 DNS 基础设施的安全性问题影响。2014 年 9 月,CMU 的研究人员发现,本应通过 Yahoo!、Hotmail 和 Gmail 服务器发送的电子邮件变成通过流氓邮件服务器发送。攻击者利用了域名系统(DNS)中一个已存在数十年之久的漏洞,即接受应答前不会检查凭据。
这个问题的解决方案是一种名为 DNSSEC 的协议。通过提供身份验证,这种协议在 DNS 之上增加了一个信任层。在某个 DNS 解析器查找 blog.cloudflare.com 时,.com 域名服务器帮助解析器验证针对 cloudflare 返回的记录,而 cloudflare 帮助验证针对 blog 返回的记录。根 DNS 名称服务器帮助验证 .com,而根服务器发布的信息将通过彻底的安全程序(包括“根签名仪式”)进行审核。
Similar to HTTPS, DNSSEC adds a layer of security by enabling authenticated answers on top of an otherwise insecure protocol. Whereas HTTPS encrypts traffic so nobody on the wire can snoop on your Internet activities, DNSSEC merely signs responses so that forgeries are detectable. DNSSEC provides a solution to a real problem without the need to incorporate encryption.
Cloudflare’s goal is to make it as easy as possible to enable DNSSEC. All Cloudflare customers can add DNSSEC to their web properties by flipping a switch to enable DNSSEC and uploading a DS record (which we'll generate automatically) to their registrar.: Learn more about how to get DNSSEC.
We’ve also published an Internet Draft outlining an automated way for registries and registrars to upload DS records on behalf of our customers. This will enable Cloudflare to automatically enable DNSSEC for our entire community. Stay tuned for updates.