From 946c8641963c2c6a2de10c7fd19cef7fce6d2e08 Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Wed, 23 Apr 2025 15:31:48 +0100 Subject: [PATCH 1/5] Create new page for NSEC3 and adjust docs order --- src/content/docs/dns/dnssec/enable-nsec3.mdx | 26 +++++++++++++++++++ .../docs/dns/dnssec/troubleshooting.mdx | 2 +- 2 files changed, 27 insertions(+), 1 deletion(-) create mode 100644 src/content/docs/dns/dnssec/enable-nsec3.mdx diff --git a/src/content/docs/dns/dnssec/enable-nsec3.mdx b/src/content/docs/dns/dnssec/enable-nsec3.mdx new file mode 100644 index 00000000000000..e8170be8a48aca --- /dev/null +++ b/src/content/docs/dns/dnssec/enable-nsec3.mdx @@ -0,0 +1,26 @@ +--- +pcx_content_type: how-to +title: Enable NSEC3 +description: Learn how to enable NSEC3 support with Cloudflare to meet compliance requirements. +sidebar: + order: 6 +--- + +As explained in [our blog](https://blog.cloudflare.com/black-lies/), Cloudflare's implementation of negative answers with NSEC is protected against zone walking[^1]. This implementation removes the need for NSEC3 and has been [proposed as an IETF standard](https://datatracker.ietf.org/doc/draft-ietf-dnsop-compact-denial-of-existence/). + +However, if you must use NSEC3 for compliance reasons, you can enable it as explained below. + +Use the [Edit DNSSEC Status endpoint](/api/resources/dns/subresources/dnssec/methods/edit/), setting `status` to `active` and `dnssec_use_nsec3` to `true`. You should replace the values started by `$` with your zone ID and API token. To learn more about using the Cloudflare API, refer to [Fundamentals](/fundamentals/api/get-started/). + +```bash +curl --request PATCH \ +https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dnssec \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ +--header "Content-Type: application/json" \ +--data '{ +"dnssec_use_nsec3": true, +"status": "active" +}' +``` + +[^1]: A method where an attacker exploits NSEC negative answers to obtain all names in a given zone. This is possible when such negative answers provide information on the previous and next names in a chain. \ No newline at end of file diff --git a/src/content/docs/dns/dnssec/troubleshooting.mdx b/src/content/docs/dns/dnssec/troubleshooting.mdx index 2d1617bf31a4be..78369f9d4f38ed 100644 --- a/src/content/docs/dns/dnssec/troubleshooting.mdx +++ b/src/content/docs/dns/dnssec/troubleshooting.mdx @@ -3,7 +3,7 @@ pcx_content_type: troubleshooting source: https://support.cloudflare.com/hc/en-us/articles/360021111972-Troubleshooting-DNSSEC title: Troubleshooting sidebar: - order: 6 + order: 9 head: - tag: title content: Troubleshooting DNSSEC From 5d6b9876a33b02dcb92b062b228152c6d223d65f Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Tue, 13 May 2025 09:46:17 +0100 Subject: [PATCH 2/5] Add section on how to verify NSEC3 is in use --- src/content/docs/dns/dnssec/enable-nsec3.mdx | 24 +++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/src/content/docs/dns/dnssec/enable-nsec3.mdx b/src/content/docs/dns/dnssec/enable-nsec3.mdx index e8170be8a48aca..a7cb50204d880e 100644 --- a/src/content/docs/dns/dnssec/enable-nsec3.mdx +++ b/src/content/docs/dns/dnssec/enable-nsec3.mdx @@ -1,6 +1,6 @@ --- pcx_content_type: how-to -title: Enable NSEC3 +title: NSEC3 support description: Learn how to enable NSEC3 support with Cloudflare to meet compliance requirements. sidebar: order: 6 @@ -10,6 +10,8 @@ As explained in [our blog](https://blog.cloudflare.com/black-lies/), Cloudflare' However, if you must use NSEC3 for compliance reasons, you can enable it as explained below. +## Enable NSEC3 + Use the [Edit DNSSEC Status endpoint](/api/resources/dns/subresources/dnssec/methods/edit/), setting `status` to `active` and `dnssec_use_nsec3` to `true`. You should replace the values started by `$` with your zone ID and API token. To learn more about using the Cloudflare API, refer to [Fundamentals](/fundamentals/api/get-started/). ```bash @@ -23,4 +25,24 @@ https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dnssec \ }' ``` +## Verify NSEC3 is in use + +To validate that NSEC3 is being used, consider the following scenarios: + +### Non-existent zone name + +A command like the following would trigger a signed negative response using NSEC3 for proof of non-existence. Look for NSEC3 records under the `Authority Section` of the response. + +```sh +dig +dnssec doesnotexist.example.com +``` + +### Non-existent record type at an existing name + +If the name `www` exists but the type TXT does not, the example below would trigger a signed NODATA response using NSEC3. Look for NSEC3 records under the `Authority Section` of the response. + +```sh +dig +dnssec www.example.com TXT +``` + [^1]: A method where an attacker exploits NSEC negative answers to obtain all names in a given zone. This is possible when such negative answers provide information on the previous and next names in a chain. \ No newline at end of file From 70bc2a38a543c231986f8ad9603485bcd2e643a5 Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Tue, 27 May 2025 10:10:46 +0100 Subject: [PATCH 3/5] Replace API example with APIRequest component version --- src/content/docs/dns/dnssec/enable-nsec3.mdx | 24 ++++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/src/content/docs/dns/dnssec/enable-nsec3.mdx b/src/content/docs/dns/dnssec/enable-nsec3.mdx index a7cb50204d880e..d5dc711f73e837 100644 --- a/src/content/docs/dns/dnssec/enable-nsec3.mdx +++ b/src/content/docs/dns/dnssec/enable-nsec3.mdx @@ -6,24 +6,24 @@ sidebar: order: 6 --- +import { APIRequest } from "~/components"; + As explained in [our blog](https://blog.cloudflare.com/black-lies/), Cloudflare's implementation of negative answers with NSEC is protected against zone walking[^1]. This implementation removes the need for NSEC3 and has been [proposed as an IETF standard](https://datatracker.ietf.org/doc/draft-ietf-dnsop-compact-denial-of-existence/). However, if you must use NSEC3 for compliance reasons, you can enable it as explained below. ## Enable NSEC3 -Use the [Edit DNSSEC Status endpoint](/api/resources/dns/subresources/dnssec/methods/edit/), setting `status` to `active` and `dnssec_use_nsec3` to `true`. You should replace the values started by `$` with your zone ID and API token. To learn more about using the Cloudflare API, refer to [Fundamentals](/fundamentals/api/get-started/). - -```bash -curl --request PATCH \ -https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dnssec \ ---header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ ---header "Content-Type: application/json" \ ---data '{ -"dnssec_use_nsec3": true, -"status": "active" -}' -``` +Use the [Edit DNSSEC Status endpoint](/api/resources/dns/subresources/dnssec/methods/edit/), setting `status` to `active` and `dnssec_use_nsec3` to `true`. You should replace the values started by `$` with your zone ID and authentication credentials. To learn more about using the Cloudflare API, refer to [Fundamentals](/fundamentals/api/get-started/). + + ## Verify NSEC3 is in use From 2a8531c4c1854a483dc83191abb3dab4a31a8e74 Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Tue, 27 May 2025 10:27:07 +0100 Subject: [PATCH 4/5] Update dnssec-for-secondary to account for NSEC3 support --- .../dnssec-for-secondary.mdx | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) diff --git a/src/content/docs/dns/zone-setups/zone-transfers/cloudflare-as-secondary/dnssec-for-secondary.mdx b/src/content/docs/dns/zone-setups/zone-transfers/cloudflare-as-secondary/dnssec-for-secondary.mdx index 3828c873e93ee1..054e787e3b8aa7 100644 --- a/src/content/docs/dns/zone-setups/zone-transfers/cloudflare-as-secondary/dnssec-for-secondary.mdx +++ b/src/content/docs/dns/zone-setups/zone-transfers/cloudflare-as-secondary/dnssec-for-secondary.mdx @@ -14,7 +14,7 @@ import { Render, TabItem, Tabs, GlossaryTooltip, APIRequest } from "~/components - **[Multi-signer DNSSEC](/dns/dnssec/multi-signer-dnssec/setup/)**: Both Cloudflare and your primary DNS provider know the signing keys of each other and perform their own live-signing of DNS records, in accordance with [RFC 8901](https://www.rfc-editor.org/rfc/rfc8901.html). - **[Live signing](#set-up-live-signing-dnssec)**: If your domain is not delegated to your primary provider's nameservers and Cloudflare secondary nameservers are the only nameservers authoritatively responding to DNS queries (hidden primary setup), you can choose this option to allow Cloudflare to perform live-signing of your DNS records. -- **[Pre-signed](#set-up-pre-signed-dnssec)**: Your primary DNS provider signs records and transfers out the signatures. Cloudflare then serves these records and signatures as is, without doing any signing. Cloudflare only supports [NSEC records](https://www.cloudflare.com/dns/dnssec/how-dnssec-works/)(and not NSEC3 records) and this setup does not support [Secondary DNS Overrides](/dns/zone-setups/zone-transfers/cloudflare-as-secondary/proxy-traffic/) nor [Load Balancing](/load-balancing/). +- **[Pre-signed](#set-up-pre-signed-dnssec)**: Your primary DNS provider signs records and transfers out the signatures. Cloudflare then serves these records and signatures as is, without doing any signing. By default, Cloudflare uses [NSEC records](https://www.cloudflare.com/dns/dnssec/how-dnssec-works/) and not NSEC3 - refer to [NSEC3 support](/dns/dnssec/enable-nsec3/) if needed. Also, Pre-signed DNSSEC does not support [Secondary DNS Overrides](/dns/zone-setups/zone-transfers/cloudflare-as-secondary/proxy-traffic/) nor [Load Balancing](/load-balancing/). --- @@ -62,15 +62,10 @@ In this setup, DNSSEC on your pirmary DNS provider does not need to be enabled. ## Set up pre-signed DNSSEC -:::caution[Important: NSEC3 not supported] - -If your primary DNS provider uses NSEC3 instead of NSEC, Cloudflare will fail to serve the pre-signed zone. Authenticated denial of existence is an essential part of DNSSEC ([RFC 7129](https://www.rfc-editor.org/rfc/rfc7129.html)) and is only supported by Cloudflare through NSEC. -::: - ### Prerequisites - Your secondary zone in Cloudflare already exists and zone transfers from your primary DNS provider are working correctly. -- Your primary DNS provider supports DNSSEC using NSEC records (and not NSEC3). +- You have considered whether your primary DNS provider uses NSEC or NSEC3, and have enabled [NSEC3 support](/dns/dnssec/enable-nsec3/) if needed. - Your primary DNS provider transfers out DNSSEC related records, such as RRSIG, DNSKEY, and NSEC. ### Steps @@ -84,9 +79,9 @@ Pre-signed DNSSEC does not support [Secondary DNS Overrides](/dns/zone-setups/zo -a. Select your zone and go to **DNS** > **Settings**. +1. Select your zone and go to **DNS** > **Settings**. -b. Under **DNSSEC with Secondary DNS** select **Pre-signed**. +2. Under **DNSSEC with Secondary DNS** select **Pre-signed**. From 3f9ccd4fde0b9f2b24cec2b1aa305e1fe21d2dc4 Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Tue, 27 May 2025 10:37:34 +0100 Subject: [PATCH 5/5] Add note on pre-signed DNSSEC to NSEC3 docs --- src/content/docs/dns/dnssec/enable-nsec3.mdx | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/content/docs/dns/dnssec/enable-nsec3.mdx b/src/content/docs/dns/dnssec/enable-nsec3.mdx index d5dc711f73e837..b355468227d636 100644 --- a/src/content/docs/dns/dnssec/enable-nsec3.mdx +++ b/src/content/docs/dns/dnssec/enable-nsec3.mdx @@ -25,6 +25,12 @@ Use the [Edit DNSSEC Status endpoint](/api/resources/dns/subresources/dnssec/met }} /> +### Pre-signed DNSSEC + +If you use Cloudflare as a secondary DNS provider with [pre-signed DNSSEC](/dns/zone-setups/zone-transfers/cloudflare-as-secondary/dnssec-for-secondary/), setting `dnssec_use_nsec3` to `true` means that Cloudflare will use NSEC3 records as transferred in from your primary DNS provider. + +Otherwise, NSEC3 records will be generated and signed at request time. + ## Verify NSEC3 is in use To validate that NSEC3 is being used, consider the following scenarios: