Closed Bug 1482941 Opened 7 years ago Closed 6 years ago

Cloudflare: Please activate DNSSEC for servo.org

Categories

(Infrastructure & Operations :: DNS and Domain Registration, task)

Product:
Infrastructure & Operations
Component:
DNS and Domain Registration
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: jan, Assigned: rtucker)

References

Details

(Keywords: nightly-community, Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/19/6954])

You are using Cloudflare: Please activate DNSSEC for servo.org. It's just clicking on activate and sending the DS record to the registrar. https://www.hardenize.com/report/servo.org/1534180004#domain_dns Thank you
See Also: → 1482947
Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/19/6954]
Cloudflare recommends enabling their modern and reliable DNSSEC feature. DNSSEC can protect against certificate misissuance, MitM attacks and ensures an authentic ESNI record for maximum privacy. Mozilla and Cloudflare are working together on Encrypted SNI. @larsberg: 1. Please log in to Cloudflare, go to the DNS page of servo.org, scroll to the bottom and click on "Enable DNSSEC". 2. Copy DS Record and Public Key into this bug and click on "Confirm". Done. Thanks ;) Like mozilla.org, servo.org is registered via MarkMonitor. Mozilla's IT should then be able to store the DS record at MarkMonitor. It's failsafe: If you would accidentally click on "Disable DNSSEC", Cloudflare wouldn't disable anything unless the DS record has been actually removed. DNSSEC only breaks if a domain has a DS record without a properly signed zone. Digest Type: SHA256 Algorithm: 13 Flags: 257 DS Record: Public Key:
Flags: needinfo?(larsberg)

Done! Below is the information that cloudflare provided - I assume that you would store the DS record at MarkMonitor? Thanks!

To enable DNSSEC you will need to add this DS record to your registrar. Most registrars will ask for only a few of the fields below. We have instructions for common registrars here

DS Record
servo.org. 3600 IN DS 2371 13 2 9D2D3A68FD39965788A13ECCBAAC5FF1CDA1B1875D2E446ED8DBB15ADD6DC397

Digest
9D2D3A68FD39965788A13ECCBAAC5FF1CDA1B1875D2E446ED8DBB15ADD6DC397

Digest Type
SHA256

Algorithm
13

Public Key
mdsswUyr3DPW132mOi8V9xESWE8jTo0dxCjjnopKl+GqJxpVXckHAeF+KkxLbxILfDLUT0rAK9iUzy1L53eKGQ==

Key Tag
2371

Flags
257

Flags: needinfo?(larsberg) → needinfo?(jan)

Thanks! Confirmed, the zone is properly signed by Cloudflare: http://dnsviz.net/d/servo.org/dnssec/

Eric, could you store the DS record at MarkMonitor? Thanks! :)

Flags: needinfo?(jan) → needinfo?(eziegenhorn)

Rob is probably the expert on this, can you help here Rob?

Flags: needinfo?(eziegenhorn) → needinfo?(rtucker)

The markmonitor web interface isn't working for some reason. Reaching out to our contact at MM to configure this.

Flags: needinfo?(rtucker)

Actually I was able to do it. The digest type needs to be set to 2 not SHA256 in their web interface.

http://dnsviz.net/d/servo.org/dnssec/

Leads me to believe this has been handled correctly.

Confirmed, thank you!
http://dnsviz.net/d/servo.org/XDTXXQ/dnssec/
https://www.hardenize.com/report/servo.org/1546966900#domain_dnssec

Assignee: infra → rtucker
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.