jdev - 2022-02-22


  1. moparisthebest

    does anyone (clients or servers) do any... "detection" of whether you can properly resolve+verify DNSSEC ?

  2. flow

    moparisthebest, like simply resolve a well-known dns name which is guaranteed to be DNSSEC enabled?

  3. moparisthebest

    flow, possibly, seems like maybe a bad SPOF though

  4. flow

    n dns names then

  5. moparisthebest

    other than domain names I own, any other such domains ?

  6. jonas’

    moparisthebest, what do you mean by "properly resolve+verify"?

  7. flow

    moparisthebest, .de is DNSSEC enabled, probably other TLDs too

  8. jonas’

    moparisthebest, I recall there was some badxmpp.eu-like thing for DNSSEC

  9. moparisthebest

    jonas’, I'm told various networks totally break when asked for DNSSEC

  10. jonas’

    the root zone is DNSSEC enabled

  11. jonas’

    you could just use that

  12. jonas’

    if the root zone is fried you're doomed anyway

  13. moparisthebest

    good point

  14. moparisthebest

    my thought is that if I can detect if *handwave* this network is good for DNSSEC, I can resolve like normal, and if it's not, then DoH to cloudflare or google which will always work for DNSSEC

  15. jonas’

    DoT pls.

  16. moparisthebest

    that way my resolver is always guaranteed to be able to do DNSSEC

  17. jonas’

    no need for HTTP overhead there.

  18. moparisthebest

    yea sure, but same end result

  19. flow

    I wouldn't be so sure about the "always work", maybe some hotspots filter third party DNS providers?

  20. flow

    I wouldn't be so sure about the "always work" part, maybe some hotspots filter third party DNS providers?

  21. moparisthebest

    well, that's what DoH is meant to work around right?

  22. moparisthebest

    but yea, if I can't resolve with DNSSEC I'll just abort the whole thing rather than run crippled

  23. defanor

    Sounds like this may lead to a failure to connect even if the target host doesn't use DNSSEC anyway (and the user doesn't require DNSSEC): major DoH servers can be blocked by a network administrator or a government, or one may even try to chat in a local network, without Internet access.