[suggestion] Browser extension

[Dr-Flay]

Since the DANE/TLS validation extension was abandoned, browsers no longer have a way to see DNSSEC info or if there is a man-in-the-middle.

Having an extension (and/or UserScript) in the browser would be a more efficient way to access your site functionality, very much like the SSL extension that uses SSL Labs for displaying a rating. If you implement an API, perhaps other people may be able to query the site for info.

[joelpurra]

@Dr-Flay: sure, that'd be a nice-to-have. DNSSEC name-and-shame has what might be considered an internal/private, simple "API" for DNSSEC lookups. It's not using anything like RFC 8427 (Representing DNS Messages in JSON), but aggregates multiple DNS type lookups into one DNSSEC-specific response. Not sure if a new browser extension would use the same "API" though.

• https://dnssec-name-and-shame.com/domain/joelpurra.se
• https://dnssec-name-and-shame.com/name-shame/?domainname=joelpurra.se
• https://tools.ietf.org/html/rfc8427

The DNSSEC/TLSA validators used browser APIs which have been deprecated. As far as I know, this enabled them to perform raw DNS request from the local machine. A request to an external "cloud" service can be performed instead, but without those local requests it won't really reflect the "actual" DNSSEC status from the user's point of view. That said, it can be combined with specially crafted DNSSEC-tests, which uses malformed/bad DNSSEC results to show if DNSSEC was used or not.

• https://rootcanary.org/test.html
• http://dnssec-or-not.com/

Perhaps someone else already developed a similar browser extension? Did some research: here's one alternative by Antoine Popineau, fittingly called DNSSEC. It's for Firefox, but the same source code quite possibly could be packaged for Chromium-based browsers as well. MIT-licensed but can't find the published source code; it's viewable through for example CRX Viewer though.

• https://addons.mozilla.org/en-US/firefox/addon/dnssec/
• https://github.com/apognu
• https://addons.mozilla.org/en-US/firefox/addon/crxviewer/

It uses external lookups with a JSON DNS result, which presumably doesn't reflect the user's "actual" DNSSEC-status.

• https://developers.cloudflare.com/1.1.1.1/dns-over-https/json-format/
• https://developers.google.com/speed/public-dns/docs/doh/json
• https://cloudflare-dns.com/dns-query?ct=application/dns-json&type=A&name=joelpurra.se
• https://dns.google.com/resolve?name=joelpurra.se

It's not exactly the same as using RFC 8484 (DNS Queries over HTTPS, DoH), but very close -- the difference is basically setting the Accept HTTP header (or in the above cases the ct (content type) query string parameter) to application/dns-message in the API call. There are quite a few publicly available options for DoH servers, and I guess they can be used interchangeably.

• https://tools.ietf.org/html/rfc8484
• https://en.wikipedia.org/wiki/DNS_over_HTTPS
• https://en.wikipedia.org/wiki/Public_recursive_name_server

Interesting idea, but creating a new browser extension within the scope ("branding") of DNSSEC name-and-shame is not a priority at this time. Closing this issue as out of scope. Perhaps work can go in to converting/extending/improving existing DNSSEC browser extension instead?