skip to content
Hiiruki's lab
Table of Contents

Intro

DNSSEC is a security extension of DNS that provides cryptographic authentication of DNS data. It helps to make sure the DNS data is not tampered or spoofed.

DNSSEC relies on a chain of trust, where each DNSSEC-enabled resolver validates the DNSSEC records of the authoritative DNS server, and so on, up to the root zone.

It helps to prevent DNS cache poisoning or DNS spoofing, and DNS man-in-the-middle attacks.

Setup

Cloudflare

  1. Log in to Cloudflare dashboard
  2. Select your domain in “Domains” section
  3. Select “DNS” in sidebar
  4. Click on “Settings”
  5. Enable DNSSEC
Cloudflare DNSSEC Settings
  1. Copy the DS records
Cloudflare DS Records

Porkbun

  1. Log in to Porkbun dashboard
  2. Select Domain Management in “ACCOUNT”
  3. Edit the “REGISTRY DNSSEC” settings by clicking the “Edit” button
Porkbun DNSSEC Settings
  1. Fill in the DS records from Cloudflare
Porkbun DNSSEC Settings
  1. The final setup looks like this.
Porkbun DNSSEC Settings

DNSSEC Status in Cloudflare

Wait for the DNSSEC to be propagated, this will take some time. The DNSSEC status in Cloudflare will show as pending.

Cloudflare DNSSEC Status

After setting it up in Porkbun, Cloudflare will automatically detect the changes and activate the DNSSEC in a few hours. The DNSSEC status in Cloudflare will change to Success! [website-name] is protected with DNSSEC. and the button will change to “Disable DNSSEC”.

Cloudflare DNSSEC Status

Testing

You can use web-based tools to test DNSSEC, such as DNSSEC Analyzer. The output for my domain looks like this:

DNSSEC Analyzer Output

DNSViz can also provide more detailed information about DNSSEC validation with better visualization. The output for my domain looks like this:

DNSViz Output

You can also use CLI or command line tools to check the RRSIG and other DNSSEC records, such as dig or delv:

Terminal window
dig +dnssec hiiruki.moe dnskey
dig

Make sure the output contains the RRSIG record, which is the signature of the DNS record, and the ad (Authenticated Data) flag.

Or using delv to validate DNSSEC locally:

Terminal window
delv hiiruki.moe
delv

The correct output should show fully validated records with no errors, confirming that DNSSEC is working properly.

References