I’d very much like to move from the Cloudflare DNS to deSEC and waited until now mainly for reasons of laziness as the GUI wasn’t ready when I created the account. It now seems to be perfectly comfortable to manage as I was able to transfer all the values from Cloudflare to deSEC by copy & paste with ease (smooth as butter). The one thing remaining troubling me a bit is the DNSSEC part. Following the documentation I’m a bit lost as it seems not yet aware that there is a GUI available.
So before I change the DNS entries I’d of course like to know what else I would have to do to activate the DNSSEC functionality already activated at Cloudflare. My domain host is OVH in France and I have a public key (“13 - ECDSAP256SHA256” as indicated).
Please accept my apologies for every possible sign of ignorance in advance!
We’re glad that the web interface works well for you – thank you for the feedback!
DNSSEC is enabled automatically for all domains managed at deSEC. That is, we generate signatures, and we provide the public key parameters in the domain info dialog, which you can open by clicking on the button next to a domain name in the GUI domain list. Using the parameters there, you can configure the DS records at your registrar (the provider where you bought the domain name).
Note, however: In case you already have enabled DNSSEC before the move, it is likely that clients will experience occasional validation failures if you update your DS records as described above (e.g. in parallel to changing the NS records). The reason for that is that DNS resolvers store responses for a while (cache), and it can happen that a resolver still has the old (Cloudflare) DS records cached, but sees new (deSEC) signatures, or the other way around. That’s inconsistent, and as a result, some queries will fail, and the client will only see a DNS error (“SERVFAIL”).
When switching DNS operators with a pre-existing DNSSEC configuration, there are two ways to avoid these failures:
Multi-signer approach. This means that a temporary phase of dual-signing (by both operators) is introduced:
First, at each provider, one has to create additional DNSKEY records with the other provider’s DNSKEY values. (So, at Cloudflare, you would add the deSEC DNSKEY records, and vice versa.)*
Then, instead of swapping the DS records, configure both Cloudflare’s and deSEC’s DS records. (This establishes the multi-signer setup.)
Now change the NS records.
Finally, remove the old DS records and the old provider’s DNSKEY records which were added earlier.
Between these steps, wait times (~hours to ~1 day) have to be respected, so that the resolver caches expire and changes take effect properly.
This is a complicated procedure, but it allows changing DNS operators without going insecure. The complication is only on the zone administration side; for a validating resolver, the situation looks like a standard key rollover (so, nothing new here with respect to validation). The algorithm is explained in more detail in RFC 8901. The DNS community is currently developing tooling to automate this. If you’d like to get involved, check out the multi-signer mailing list.
*… Requires support for DNSKEY editing at both providers. deSEC does support it; I’m not sure what the status is at Cloudflare.
Going insecure. Remove DS record(s) and wait for ~1 day for caches to expire, then make the NS change, and provision the new DS record(s). This has the downside that your domain is not DNSSEC-secured during the transition. Depending on what kind of records or features you use (e.g. TLSA records), applications that strictly rely on validating such records may fail during that time period.
So, from a security/continuity perspective, option 1) is “proper” and clearly preferred, but still suffers from its complexity in practice. We hope for that to improve in the mid-term.
I inquired about the option to add an additional DNSKEY to my Cloudflare DNS options but, unfortunately, failed. So what I’m currently doing is “going insecure” as you describe it.
I do not think it will have severe consequences but that would be telling … So whatever happens it should be gone around tomorrow evening (hopefully).
button next to a domain name in the GUI domain list. Using the parameters there, you can configure the DS records at your registrar (the provider where you bought the domain name).