May 9 – 10, 2015
Okura Hotel
Europe/Amsterdam timezone

Signing DNSSEC answers on the fly at the edge: challenges and solutions!

May 10, 2015, 10:00 AM
Heian I/II (Okura Hotel)

Heian I/II

Okura Hotel

Ferdinand Bolstraat 333 1072 LH Amsterdam
Public Workshop


Mr Filippo Valsorda (CloudFlare Inc.)Mr Ólafur Guðmundsson (CloudFlare Inc.)


CloudFlare operates a DNS servers in a non traditional way: there are no zone files and answers can be assembled from multiple sources on the fly. This prevented us from using existing DNSSEC tools. In order to provide a reliable and scalable solution that is friendly to the Internet we started questioning every assumption ever made on DNSSEC deployment. The resulting design will hopefully be a roadmap for others to follow when implementing on-line DNS signing systems. The areas where we needed to focus include algorithm selection, negative answers, key distribution for large number of domains and rate limiting of signatures generated. In order to make sure our signatures would be validated we reached out the number of parties to upgrade their systems to support ECDSA algorithm. We have done extensive testing with available online resources and volunteers. Some of our design choices "stretch" protocol compliance and we will highlight those.


This will be a technical talk about technical choices based on operational realities. These choices will affect operators of Recursive Resolvers and providers of testing tools. For example our negative answers crashed the popular ldns-walk program.
We hope to provide some statistics in our talk.

Primary author

Mr Ólafur Guðmundsson (CloudFlare Inc.)


Mr Filippo Valsorda (CloudFlare Inc.)

Presentation materials