Toggle DNSSEC
Fri, Jun 21, 2024
When I was playing around with Cloudflare today, I had to disable DNSSEC.
DNSSEC (Domain Name System Security Extensions) is a suite of specifications used to secure information provided by the Domain Name System (DNS) through authentication and integrity checks, preventing attacks such as cache poisoning and ensuring that users reach legitimate websites. It uses digital signatures and public key cryptography to verify that DNS responses originate from their claimed sources and haven’t been altered.
I used dig to check whether the deactivation of DNSSEC has already been propagated.
dig +dnssec mydomain.com
; <<>> DiG 9.10.6 <<>> +dnssec mydomain.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37155
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
Have a look at the last line.
The flag ad is short for Authenticated Data and signifies that the data has been authenticated by DNSSEC, confirming its integrity and authenticity.
After I deactivated DNSSEC, the flag disappeared after a few minutes.
dig +dnssec mydomain.com
; <<>> DiG 9.10.6 <<>> +dnssec mydomain.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21131
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
→ Deactivation was successful