-
moparisthebest
does anyone (clients or servers) do any... "detection" of whether you can properly resolve+verify DNSSEC ?
-
flow
moparisthebest, like simply resolve a well-known dns name which is guaranteed to be DNSSEC enabled?
-
moparisthebest
flow, possibly, seems like maybe a bad SPOF though
-
flow
n dns names then
-
moparisthebest
other than domain names I own, any other such domains ?
-
jonas’
moparisthebest, what do you mean by "properly resolve+verify"?
-
flow
moparisthebest, .de is DNSSEC enabled, probably other TLDs too
-
jonas’
moparisthebest, I recall there was some badxmpp.eu-like thing for DNSSEC
-
moparisthebest
jonas’, I'm told various networks totally break when asked for DNSSEC
-
jonas’
the root zone is DNSSEC enabled
-
jonas’
you could just use that
-
jonas’
if the root zone is fried you're doomed anyway
-
moparisthebest
good point
-
moparisthebest
my thought is that if I can detect if *handwave* this network is good for DNSSEC, I can resolve like normal, and if it's not, then DoH to cloudflare or google which will always work for DNSSEC
-
jonas’
DoT pls.
-
moparisthebest
that way my resolver is always guaranteed to be able to do DNSSEC
-
jonas’
no need for HTTP overhead there.
-
moparisthebest
yea sure, but same end result
-
flow
I wouldn't be so sure about the "always work", maybe some hotspots filter third party DNS providers?✎ -
flow
I wouldn't be so sure about the "always work" part, maybe some hotspots filter third party DNS providers? ✏
-
moparisthebest
well, that's what DoH is meant to work around right?
-
moparisthebest
but yea, if I can't resolve with DNSSEC I'll just abort the whole thing rather than run crippled
-
defanor
Sounds like this may lead to a failure to connect even if the target host doesn't use DNSSEC anyway (and the user doesn't require DNSSEC): major DoH servers can be blocked by a network administrator or a government, or one may even try to chat in a local network, without Internet access.