DNSSEC does not work on Production Resolvers

Comments

8 comments

  • Avatar
    rotblitz

    It seems your router attempts to validate all replies, not just unsigned DNSSEC replies.

    You need to understand what DNSSEC is.
    https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions

    You should not need to change any settings.

    0
    Comment actions Permalink
  • Avatar
    pavlicekdevid (Edited )

    Hi rotblitz, but why does "Sandbox" and "FamilyShield" work when enabling the setting "Validate unsigned DNSSEC replies" ?

    Also for DNSSEC to work I thought that both Server and Client site have to enable it. https://ititch.com/dnssec-what-you-need-to-know/ 

     

    0
    Comment actions Permalink
  • Avatar
    rotblitz (Edited )

    I don’t know why it sometimes works. I do not know your router.

    And yes, client is OpenDNS, and server is the authoritative nameserver of the DNSSEC enabled domain. As you can see, you are out of the game.

    0
    Comment actions Permalink
  • Avatar
    pavlicekdevid (Edited )

    rotblitz It seems more as a bug to me. With the option "Validate unsigned DNSSEC replies" enabled on my Router (Asus RT-AC88U) it is only not working on the Production resolvers (208.67.222.222, 208.67.220.220).

    As i suspected it is a issue on the OpenDNS side, as they changed now the date for the Production resolvers to March 10, 2020. Before it was February 24, 2020.  You can check this forum post also. 

     

     

    0
    Comment actions Permalink
  • Avatar
    rotblitz (Edited )

    Ok, this may be the reason for not working.  I still do not understand what your router has to do with it though.  The routers I know do not have such settings.

    0
    Comment actions Permalink
  • Avatar
    pavlicekdevid

    Enabling DNSSEC in the Router ensures the validation over the "last mile". 

    “Enabling DNSEC in the router GUI ensures DNSSEC validation over the ‘last mile’, ie, between the DNS server & you.
    So, Cloudflare (or Google, or Quad9) does DNSSEC=yes: enabling locally means you are verifying locally what you get from Cloudflare (or Google, Quad9) as being still ok, not tampered with, when it gets to you. (found here)“

    “While DNSSEC ensures integrity of data between a resolver and an authoritative server, it does not protect the privacy of the “last mile” towards you. DNS resolver, 1.1.1.1, supports both emerging DNS privacy standards - DNS-over-TLS, and DNS-over-HTTPS, which both provide last mile encryption to keep your DNS queries private and free from tampering. (found here)”

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    I see now. Thanks. It looks like my router does this automatically. Even better.

    0
    Comment actions Permalink
  • Avatar
    pavlicekdevid (Edited )

    For anyone who is reading this and is also interested to implement DNSSEC to the "last mile" I am reporting that this now works perfectly on the production resolvers too.

    1
    Comment actions Permalink

Please sign in to leave a comment.