DNSSEC Available to Test on Cloud DNS

[cloud-dns-announce]

In 2013, Google Public DNS (8.8.8.8) became the largest public DNS resolver to support DNSSEC (DNS Security Extensions), doubling the number of Internet clients protected by DNSSEC validation. Today, we are excited to announce that fully-managed DNSSEC is available as an invitational Alpha-release feature in Google Cloud DNS. You may fill out this form to request an invitation.

DNSSEC helps mitigate the risk of DNS hijacking and man-in-the-middle attacks by cryptographically signing DNS records. Validating DNS resolvers, such as Google Public DNS, accept and relay to Internet users only authentic data from signed domains. This prevents attackers from misdirecting browsers to nefarious websites, for example, by issuing fake DNS responses.

DNSSEC in Google Cloud DNS is designed for ease of use. Follow a few simple steps, then sit back, relax, and enjoy the added security benefits. Advanced users may choose to use different signing algorithms and denial-of-existence types. We support several sizes of RSA and ECDSA keys, and both NSEC and NSEC3. For more details, please refer to the instructions that will come along with the invitation.

This is an Alpha release. Access to the feature is by invitation only, and only intended for testing purposes. If you are interested in trying it out, please request an invitation by filling out this form. We will contact you with details on how to get started. At this moment, DNSSEC is only available to Google Cloud DNS users participating in this Alpha release. Google Domains users, please stay tuned!

Richard Woodbury, on behalf of the Cloud DNS team.

[m...@michael.band]

I filled out the form for this back in May but still have't had any contact from Google.

[mrey...@greenpeace.org]

On Friday, June 3, 2016 at 5:06:31 PM UTC+10, m...@michael.band wrote:
> I filled out the form for this back in May but still have't had any contact from Google.

Did you try again?

Worked for me in the last few days. Was added within about 12 hours.

[Richard Woodbury]

On Fri, Jun 3, 2016 at 3:06 AM <m...@michael.band> wrote:

I filled out the form for this back in May but still have't had any contact from Google.

Not sure what might have happened, but I've just sent an/another invitation to you. Let me know if you don't get it.

[pana...@gmail.com]

I've filled out the form a few days ago and didn't get a response until now too. Is the DNSSEC

 Alpha still open? 

[Ronald McCormick]

I suspect it IS...  It took about a week before I got added (just recently)  WARNING: The directions that they sent me were incorrect...  They have you add a repository for a gcloud component.... (DONT DO it...  It breaks a few things as it reverts the API to an ancient version)  The commands will be available once they add you to the permissions, but they are actually in the standard beta section (you will have to install the beta component).  You WILL need to re-auth with gcloud to get access as well.  They will send you an email once your enabled.

My review of things so far is that it works for most domains...  SOME TLDs either dont support DNSSEC or are very slow in propagating.  (.us, .xyz and .online specifically)

If you have any questions, feel free to ask since I just went though the rough patches myself.

[Richard Woodbury]

On Tuesday, September 5, 2017 at 1:35:51 PM UTC-4, Ronald McCormick wrote:

I suspect it IS...  It took about a week before I got added (just recently)

Yes, the Alpha is very much still open. We add users in batches, so don't expect an immediate invite after filling out the form.

 

 WARNING: The directions that they sent me were incorrect...  They have you add a repository for a gcloud component.... (DONT DO it...  It breaks a few things as it reverts the API to an ancient version)

The instructions are correct (tested myself last week), and this is the expected usage. Please let me know what are the "few things" that break for you, so this can be addressed.

 

The commands will be available once they add you to the permissions, but they are actually in the standard beta section (you will have to install the beta component).

It may be possible to use the Beta commands, but as the product hasn't entered Beta yet, this is not the prescribed method.

[Richard Woodbury]

I will add that you don't have to bother with gcloud if you want to use the Cloud Console. There are only a few advanced features unavailable in the UI, but it has all the functionality necessary to get setup with DNSSEC. 

[pana...@gmail.com]

On Friday, August 5, 2016 at 5:30:02 AM UTC+2, Richard Woodbury wrote:

[Ronald McCormick]

Since it is expected to revert the API, then I will report that some zones that previously export fine with -zone-file-format fail when using the older API version...

% gcloud dns record-sets export foo --zone pluribusgames-com --zone-file-format
ERROR: (gcloud.dns.record-sets.export) unable to export record-sets to file [foo].

Using the current API 169:

% gcloud dns record-sets export foo --zone pluribusgames-com --zone-file-format

Exported record-sets to [foo]. 

Side Note: The current version does properly support the TLSA records on export.