does anyone (clients or servers) do any... "detection" of whether you can properly resolve+verify DNSSEC ?
moparisthebest, like simply resolve a well-known dns name which is guaranteed to be DNSSEC enabled?
flow, possibly, seems like maybe a bad SPOF though
n dns names then
other than domain names I own, any other such domains ?
moparisthebest, what do you mean by "properly resolve+verify"?
moparisthebest, .de is DNSSEC enabled, probably other TLDs too
moparisthebest, I recall there was some badxmpp.eu-like thing for DNSSEC
jonas’, I'm told various networks totally break when asked for DNSSEC
the root zone is DNSSEC enabled
you could just use that
if the root zone is fried you're doomed anyway
my thought is that if I can detect if *handwave* this network is good for DNSSEC, I can resolve like normal, and if it's not, then DoH to cloudflare or google which will always work for DNSSEC
that way my resolver is always guaranteed to be able to do DNSSEC
no need for HTTP overhead there.
yea sure, but same end result
I wouldn't be so sure about the "always work", maybe some hotspots filter third party DNS providers?✎
I wouldn't be so sure about the "always work" part, maybe some hotspots filter third party DNS providers? ✏
well, that's what DoH is meant to work around right?
but yea, if I can't resolve with DNSSEC I'll just abort the whole thing rather than run crippled
Sounds like this may lead to a failure to connect even if the target host doesn't use DNSSEC anyway (and the user doesn't require DNSSEC): major DoH servers can be blocked by a network administrator or a government, or one may even try to chat in a local network, without Internet access.