moparisthebestdoes anyone (clients or servers) do any... "detection" of whether you can properly resolve+verify DNSSEC ?
flowmoparisthebest, like simply resolve a well-known dns name which is guaranteed to be DNSSEC enabled?
moparisthebestflow, possibly, seems like maybe a bad SPOF though
flown dns names then
moparisthebestother than domain names I own, any other such domains ?
jonas’moparisthebest, what do you mean by "properly resolve+verify"?
flowmoparisthebest, .de is DNSSEC enabled, probably other TLDs too
jonas’moparisthebest, I recall there was some badxmpp.eu-like thing for DNSSEC
moparisthebestjonas’, I'm told various networks totally break when asked for DNSSEC
jonas’the root zone is DNSSEC enabled
jonas’you could just use that
jonas’if the root zone is fried you're doomed anyway
moparisthebestmy thought is that if I can detect if *handwave* this network is good for DNSSEC, I can resolve like normal, and if it's not, then DoH to cloudflare or google which will always work for DNSSEC
moparisthebestthat way my resolver is always guaranteed to be able to do DNSSEC
jonas’no need for HTTP overhead there.
moparisthebestyea sure, but same end result
flowI wouldn't be so sure about the "always work", maybe some hotspots filter third party DNS providers?✎
flowI wouldn't be so sure about the "always work" part, maybe some hotspots filter third party DNS providers? ✏
moparisthebestwell, that's what DoH is meant to work around right?
moparisthebestbut yea, if I can't resolve with DNSSEC I'll just abort the whole thing rather than run crippled
defanorSounds like this may lead to a failure to connect even if the target host doesn't use DNSSEC anyway (and the user doesn't require DNSSEC): major DoH servers can be blocked by a network administrator or a government, or one may even try to chat in a local network, without Internet access.