topic Re: DNSSEC does not work on Production Resolvers in OpenDNS

DNSSEC does not work on Production Resolvers

pavlicekdevid — Fri, 28 Feb 2020 19:10:44 GMT

OpenDNS announced that it will start supporting the DNSSEC protocol on 24.02.2020 for production resolvers (DNSSEC General Availability). I am using the DNS resolvers 208.67.222.222 and 208.67.220.220.

But when I enable the DNSSEC support in my router settings (Asus RT-AC88U) I can't reach any websites. So my question is is it already supported ? Does anyone else use DNSSEC with production resolvers ?

These are the settings on my Router. When I enable "Validate unsigned DNSSEC replies" I can't reach any website anymore.

Re: DNSSEC does not work on Production Resolvers

rotblitz — Fri, 28 Feb 2020 20:20:09 GMT

It seems your router attempts to validate all replies, not just unsigned DNSSEC replies.

You need to understand what DNSSEC is.
https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions

You should not need to change any settings.

Re: DNSSEC does not work on Production Resolvers

pavlicekdevid — Fri, 28 Feb 2020 21:47:05 GMT

Hi 309368103, but why does "Sandbox" and "FamilyShield" work when enabling the setting "Validate unsigned DNSSEC replies" ?

Also for DNSSEC to work I thought that both Server and Client site have to enable it. https://ititch.com/dnssec-what-you-need-to-know/

Re: DNSSEC does not work on Production Resolvers

rotblitz — Sat, 29 Feb 2020 12:47:52 GMT

I don’t know why it sometimes works. I do not know your router.

And yes, client is OpenDNS, and server is the authoritative nameserver of the DNSSEC enabled domain. As you can see, you are out of the game.

Re: DNSSEC does not work on Production Resolvers

pavlicekdevid — Sat, 07 Mar 2020 10:03:19 GMT

309368103 It seems more as a bug to me. With the option "Validate unsigned DNSSEC replies" enabled on my Router (Asus RT-AC88U) it is only not working on the Production resolvers (208.67.222.222, 208.67.220.220).

As i suspected it is a issue on the OpenDNS side, as they changed now the date for the Production resolvers to March 10, 2020. Before it was February 24, 2020. You can check this forum post also.

Re: DNSSEC does not work on Production Resolvers

rotblitz — Sat, 07 Mar 2020 13:14:10 GMT

Ok, this may be the reason for not working. I still do not understand what your router has to do with it though. The routers I know do not have such settings.

Re: DNSSEC does not work on Production Resolvers

pavlicekdevid — Sat, 07 Mar 2020 13:41:50 GMT

Enabling DNSSEC in the Router ensures the validation over the "last mile".

“Enabling DNSEC in the router GUI ensures DNSSEC validation over the ‘last mile’, ie, between the DNS server & you.
So, Cloudflare (or Google, or Quad9) does DNSSEC=yes: enabling locally means you are verifying locally what you get from Cloudflare (or Google, Quad9) as being still ok, not tampered with, when it gets to you. (found here)“

“While DNSSEC ensures integrity of data between a resolver and an authoritative server, it does not protect the privacy of the “last mile” towards you. DNS resolver, 1.1.1.1, supports both emerging DNS privacy standards - DNS-over-TLS, and DNS-over-HTTPS, which both provide last mile encryption to keep your DNS queries private and free from tampering. (found here)”

Re: DNSSEC does not work on Production Resolvers

rotblitz — Sat, 07 Mar 2020 14:10:29 GMT

I see now. Thanks. It looks like my router does this automatically. Even better.

Re: DNSSEC does not work on Production Resolvers

pavlicekdevid — Wed, 11 Mar 2020 10:42:26 GMT

For anyone who is reading this and is also interested to implement DNSSEC to the "last mile" I am reporting that this now works perfectly on the production resolvers too.