Signing DNSSEC answers on the fly at the edge: challenges and solutions!
CloudFlare operates a DNS servers in a non traditional way: there are no zone files and answers can be assembled from multiple sources on the fly. This prevented us from using existing DNSSEC tools.
In order to provide a reliable and scalable solution that is friendly to the Internet we started questioning every assumption ever made on DNSSEC deployment. The resulting design will hopefully be a roadmap for others to follow when implementing on-line DNS signing systems.
The areas where we needed to focus include algorithm selection, negative answers, key distribution for large number of domains and rate limiting of signatures generated.
In order to make sure our signatures would be validated we reached out the number of parties to upgrade their systems to support ECDSA algorithm. We have done extensive testing with available online resources and volunteers.
Some of our design choices "stretch" protocol compliance and we will highlight those.
This will be a technical talk about technical choices based on operational realities. These choices will affect operators of Recursive Resolvers and providers of testing tools. For example our negative answers crashed the popular ldns-walk program. We hope to provide some statistics in our talk.