Closed unbeatable-101 closed 4 months ago
Sorry, that was a bad example, for some reason iCloud private relay turned itself back on (though that really should support DNSSEC), though it does happen with it actually disabled like here:
I can't read images, sorry.
DNSSEC support is reported by dnscrypt-proxy -resolve
:
$ dnscrypt-proxy -resolve example.com
./dnscrypt-proxy -resolve example.com
Resolving [example.com] using 127.0.0.1 port 53
Resolver : 74.125.47.9
...
Name servers : a.iana-servers.net., b.iana-servers.net.
DNSSEC signed : yes
What resolvers did you find not supporting DNSSEC while they had the DNSSEC bit set in their stamp?
Does the current workflow tests if the stamp is advertising the resolver as DNSSEC-enabled but we couldn't get the response for example.com
with DNSSEC signed : yes
?
It doesn't. Maybe we can use -list -json
to get the DNSSEC information from the stamp, and indeed compare that to the output of -resolve
.
Added this to my regular check scripts. And sure enough, it quickly detected quite a few resolvers that advertise DNSSEC but don't support it.
I'm going to add it to prcheck and to the status monitor.
Probably I'm doing it wrong but both with https://dnscheck.tools/ ("Great! Your DNS responses are authenticated with DNSSEC") and using dnscrypt-proxy -resolve example.com
("DNSSES signed : yes") I get positive results for e.g. UncensoredDNS
.
How to get the correct result?
Probably I'm doing it wrong but both with https://dnscheck.tools/ ("Great! Your DNS responses are authenticated with DNSSEC") and using
dnscrypt-proxy -resolve example.com
("DNSSES signed : yes") I get positive results for e.g.UncensoredDNS
.
I just set server_names = ['uncensoreddns-dk-ipv4']
, and ran dnscrypt-proxy -resolve example.com
:
Resolving [example.com] using 127.0.0.1 port 53
Resolver : 89.233.43.71 (unicast.censurfridns.dk.)
Lying : no
DNSSEC : no, the resolver doesn't support DNSSEC
ECS : ignored or selective
Thanks, so:
server_names
."DNSSEC signed" is printed in the section about the domain name you are querying, not the server properties.
@c3d1c06c-bf26-477e-b0eb-c50ef4477ba6
How to get the correct result?
Manually I'd use this to verify resolver's functionality
$ dnslookup go.dnscheck.tools [stamp]
and
$ dnslookup badsig.go.dnscheck.tools [stamp]
to verify it's DNSSEC; It should return SERVFAIL
if DNSSEC.
It would be useful to do the test in reverse too; When a resolver doesn't advertise DNSSEC (human error during addition) but it indeed does support DNSSEC. @jedisct1
I have
require_dnsssec = true
set in my config and am only using dnscrypt servers from the default server list, yet when I use https://dnscheck.tools/ to check DNSSEC support, I'll sometimes get it saying DNSSEC is supported, and sometimes it will say it isn't. Here is an example of when it isn't.