[davidpelaez]

I'd like to clarify that there's a _major_ issue to consider. Here's my comment on the article explaining:

Cloudflare delivers signatures for records that last more than the TTL of the record. This has the problem of replay attacks. If one employee that had access at some points configures a machines DNS to return an old DNS response it will be valid until the expiration of the signature, hence having access for more time than the actual TTL.

I just checked and Cloudflare generates signatures expiring +2 days in the future. This means that I have a TTL of 5 minutes on my record but the client is receiving old queries, authentication would pass without a problem for as long as the RRSIG is valid.

Ideally Cloudflare should sign every record with the same frequency as the records TTL, that would solve the issue.

After finding this out I think you should _not_ use Cloudflare's DNSSEC because revoking access to a user wouldn't be 100% effective until the RRSIG expiration date given the replay attack scenario.