Implement DNSSEC
I understand that OpenDNS currently supports DNScrypt; can we have DNSSEC validation added?
-
Official comment
OpenDNS is happy to announce support for DNSSEC.
Details can be found in the following article: https://support.opendns.com/hc/en-us/articles/360039659971
Comment actions -
See point 3 at http://www.opendns.com/technology/dnscrypt/
-
-
@matt Then unfortunately your gut feeling is wrong. Not sure what you meant by "competitor" in DNS resolver services, they are always free and relatively hard to be monetized.
Anyway I commented on this thread since I got OpenDNS support reply which says "DNSSEC is being considered for the future" and I was suggested to voice my opinion on this existing thread (I was given link to this page in the e-mail).
I could ask you the same, though. Could you be affiliated with OpenDNS? considering your remarkably extensive reply that really sounds like insider. In case that would be true you might want to check based on my IP if I lived in a country where OpenDNS "competitor" exist and perhaps check if my IP is currently in the list of OpenDNS user. :)
-
It always amazes he how people on here don't say that they are posting something because tech support asked them to, and withhold some piece of information that is unknown to the vast majority of people, and only reveal it after getting some pushback. Almost always knowing that information up front would change how the initial post is received and responded to.
By competitor I mean some other company selling DNS related services to paying customers. There are several of them that I know of who in addition to recursive DNS have several additional functions that they can perform, usually along the lines of some sort of security or filtering. Most of the purely recursive DNS services that I know of are owned by ISP's so they are underwriting the cost of their DNS services by selling their customers internet access anyway. I can't think of any that aren't trying to monetize their DNS and DNS related services or providing them as a result of some other service that they are selling, such as internet connectivity.
I am not an OpenDNS employee. Just like a handful of people on here I sometimes write long replies to help out, teach, or otherwise inform others who are on this forum. I prefer to make my posts fully fleshed out, rather than partial though fragments that do more to confuse and obfuscate than they do to answer questions or provide information.
As for my relationship with OpenDNS I'm a long time customer, and a member (meaning my business, not me personally) of their partner program. That means that I recommend and sell OpenDNS to some of my clients. Sometimes as a stand alone product, other times as part of my MSP offering. If I stopped selling it or posting on this forum I sincerely doubt that OpenDNS would even notice. I go out of my way on this forum to not advertise that I also sell their products so that I don't influence how what I say is perceived, especially so that my words aren't dismissed as coming from someone who is solely interested in making a quick buck off the people here.
I'm not going to bother checking on your rather farcical suggestion that I "check up on you" based on your IP address, since anyone who gets their information regarding computer matters from any place other than TV and Hollywood knows who useless an IP address is for proving geographical location. The only thing that I can say for sure based on your IP address is that it passed through some particular device or another, though with technologies such as multicast or load balancing even that isn't quite ironclad. Besides which, I'm not even sure if this web forum would provide an IP address that's affiliated with whatever device you posted from, rather than the address of one of this forum's servers.
-
It also amazes me since this is a first time I posted something on a product feature request section and getting accused as "working for competitor" by a "business member of the partner program ". Also I'm sorry but I chuckled a bit when I read "withhold some piece of information that is unknown to the vast majority of people", and all I did was requesting for DNSSEC. I hope you don't suspect I also worked for Reichspropaganda-Leitung in the past. ;)
Okay, I'm just joking. All I can say I like OpenDNS and that's why I went to such length to write a support request and writing its forum for a simple feature request, admittedly I'm not that dedicated since I don't sell/work for entities that sell anything related to OpenDNS or anything DNS-related for that matters. I'm big fan of "brevity is soul of wit" saying anyway.
I appreciate you're being transparent, though.
Now that's everything has been cleared up, I suggest we move forward to DNSSEC discussion, As for me I have said everything I need (in this thread an the other thread). Perhaps others might chime in as well. :)
-
Ok, benefit of the doubt granted, let's move on.
Personally, I'd like to have DNSSEC supported, for if and when more domains get certificates and are actually authenticated that way. Frankly, if you'd have asked me last week I'd have told you that I thought DNSSEC was supported by OpenDNS, based on something I'd thought I'd read somewhere, but obviously I'd have had some problems verifying it. The same problems I had with verifying it this weak. :)
The biggest weakness with DNSSEC is that certificates cost money and most domain owners (including myself) aren't motivated enough to spend the money for it. Perhaps in time domain registrars will include a DNSSEC certificate as part of the price, but I suspect that would just mean raising the price to register a domain. It would be nice however if US federal agencies followed their mandate to support DNSSEC, but as with IPv6 most have missed or simply ignored it.
Given the choice I'd rather see OpenDNS giving priority to full IPv6 support rather than DNSSEC however.
-
@mattwilson9090 I've never seen a registrar charge for that. All my domains are signed, including dnscrypt.org . I heavily rely on DNSSEC for SSH host keys verification and to sign files.
I've been using Gandi, GKG and OVH, and all it takes is to enter the signer records along with the nameserver IPs. If you use their servers as name servers, OVH also provides DNSSEC for all eligible domains by default.
If your registrar is asking you to pay a premium for that, it's a rip-off; consider transferring your domains elsewhere.
-
So it's not that DNSSEC signing is totally free like you said, it's that the registrars you've worked with don't specifically charge for it. That's a huge difference. Without researching what I assume are 3 different registrars that you named I'd guess that DNSSEC is baked into their pricing model and you're still paying for it, just not as a separate line item. In time perhaps that will be how all registrars function, but generating and maintaining certificates and the cost required for the infrastructure is a non-zero cost, so I would expect them to charge for it either as a part of their standard pricing or as a separate line item. For now I prefer it to be a separate line item since the vast majority of domains don't need certificates, either for DNSSEC or more generalized purposes such as TLS/SSL.
I'm glad that you've found a use for DNSSEC, but right now I have no use or need for it, especially while the vast majority of domains are not signed, especially by big providers and governmental entities. If that changes I'll consider changing it for my miniscule portion of the world.
But no thank you, I'm not going to change my registrar, who I haven't named, because you claim they are a rip-off even though you don't know who they are or my relationship with them. They have provided me excellent service at a very good price over the years and DNSSEC isn't even close enough to being on my radar to consider dropping them over this.
-
I'm confused, point 3 of this link: http://www.opendns.com/technology/dnscrypt/
It sounds like they are all for DNSSEC and hope it increases in global use... but not here at OpenDNS?
I've recently needed to setup unbound with DNSSEC and wasn't sure why things weren't working right, I had just assumed that OpenDNS supported DNSSEC. Once I found out they dont, switched to a public DNS that does, things worked great.
Simply put that means I can't continue to use OpenDNS. Thanks, it was great while it lasted. If DNSSEC is added, I'll be back.
-
Has there been any significant increase in use of DNSSEC?
My impression is that while OpenDNS likes the concept they aren't going to invest the engineering resources to add it to their infrastructure, or the ongoing support resources to maintain it while usage has been as low as it has been. Perhaps that will change with the public release of the IFF's free certificate program, and also if large entities, such as major businesses and governments start embracing and using it.
As I've said else, I'd still put a higher priority on IPv6 implementation than I would on DNSSEC, though I'd like to see both fully supported.
-
mattwilson9090: DNSSEC and free TLS certificates are completely orthogonal. I'm not sure why you think they're related.
While I can't speak for operating a system at OpenDNS' scale, typically enabling DNSSEC validation is a simple one-line, one-time option in a configuration file. No additional support resources are necessary to maintain it -- it's a "set it and forget it" change.
-
I didn't say that TLS certificates are the same or related to DNSSEC. I mentioned it as one factor that could apply additional pressure to large bodies to start signing their DNS and making DNSSEC a viable option throughout the internet. It will happen in time, but a very long time. Just look at how long it took for all of the DNS root servers to get signed.
As for support issues, there are always support issues involved in introducing a new technology to a major enterprise scale network. Nothing is as simple as "change one line and forget it", especially for a middle man such as the recursive DNS service that is at the heart of OpenDNS. I don't know what those issues will be, or how DNSSEC will operate with or alongside of their other services, including filtering, but experience tells me that there will be issues.
-
Fair enough. I just don't really see the connection between TLS certificates (free or not) and DNSSEC. Sure, you can add TLSA records as an extra means of validating TLS certs, but otherwise there's not really much connection.
As for deployment issues, yes, I'm sure that adding an option to a system operating at the scale of OpenDNS is non-trivial. Nevertheless, DNSSEC validation is something that's been done by major services like Comcast and Google Public DNS on a large scale, with services like Cloudflare showing that DNSSEC on authoritative DNS servers (especially those using live-signing) can also operate at large scales. You're right about needing to think about how such validation would interact with filtering and whatnot; that's something I didn't consider.
Still, it's been several years since this post was created. I would hope that'd be enough to work out the kinks. We shall see.
-
Once again, I never said there is a technology connection between TLS certs and DNSSEC. I'm talking about pressure, be it political, marketplace, financial, or whatever as TLS and other types of certs become more widely used, for those who have been tardy in implementing DNSSEC to do so. And I'm not talking about implementation by recursive DNS services here. I mean all of the government agencies that are mandated to implement DNSSEC, the big companies and agencies, etc After all, having DNSSEC available from your recursive DNS service doesn't really do much good if the DNS records you want to use it against aren't signed.
Like I said, with such a miniscule implementation rate by those who would need to sign their DNS records, I'd much rather see OpenDNS take whatever resources would be required in developing, testing, and supporting it, and devote it to things with an immediate payoff, such as fully supporting IPv6 in their product line.
As for years since this post was created, it's been even longer that people have been asking for IPv6 and there is still no public updates on that. For either technology I have no idea if the delay is due to kinks or something else. It appears that we'll remain in the dark. One thing I have learned about OpenDNS is that they really don't care about any of the comments on a topic in the idea bank. And they care even less about "+1" comments. The only thing they care about is people voting for this by clicking on the "Me too!" button. If you support this, and haven't already done so, then you need to vote or it really doesn't matter to OpenDNS what you have to say on the matter. Thus far only 7 people have voted for it, so it's probably well below their radar.
-
Adding my vote for this request. I've been a happy user of OpenDNS for some time. I really like its filtering as a second line of defense after the firewall's Squid filter.
But I'm in the process of replacing an old IPCop firewall with a new IPFire one, and it refuses to allow the use of any DNS server that is not DNSSEC aware (and strongly encourages DNSSEC validating). This will leave me with no choice but to give up on OpenDNS. I know I'm just one of millions, but for each user who speaks up, how many silently disappear?
I think OpenDNS' position on DNSSEC made sense in 2014. But not now, two weeks from 2017, with attacks of all types steadily increasing. Every hole needs to be plugged.
Please sign in to leave a comment.
Comments
28 comments