Buy or Renew
Buy or Renew
NOTICE: OpenDNS reactivated for users in Belgium. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
364
Views
2
Helpful
8
Replies

DNSSEC does not work on Production Resolvers

pavlicekdevid
Level 1
Level 1

‎02-28-2020 11:10 AM

OpenDNS announced that it will start supporting the DNSSEC protocol on 24.02.2020 for production resolvers (DNSSEC General Availability). I am using the DNS resolvers 208.67.222.222 and 208.67.220.220.

But when I enable the DNSSEC support in my router settings (Asus RT-AC88U) I can't reach any websites. So my question is is it already supported ? Does anyone else use DNSSEC with production resolvers ?

These are the settings on my Router. When I enable "Validate unsigned DNSSEC replies" I can't reach any website anymore. 

support.opendns.com_hc_user_images_GJqSDTVTBTAS__GdzRc7Ug.png

 

Labels:
8 Replies 8

rotblitz
Level 6
Level 6

‎02-28-2020 12:20 PM

It seems your router attempts to validate all replies, not just unsigned DNSSEC replies.

You need to understand what DNSSEC is.
https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions

You should not need to change any settings.

0 Helpful

pavlicekdevid
Level 1
Level 1

‎02-28-2020 01:47 PM

Hi 309368103, but why does "Sandbox" and "FamilyShield" work when enabling the setting "Validate unsigned DNSSEC replies" ?

Also for DNSSEC to work I thought that both Server and Client site have to enable it. https://ititch.com/dnssec-what-you-need-to-know/ 

 

0 Helpful

rotblitz
Level 6
Level 6

‎02-29-2020 04:47 AM

I don’t know why it sometimes works. I do not know your router.

And yes, client is OpenDNS, and server is the authoritative nameserver of the DNSSEC enabled domain. As you can see, you are out of the game.

0 Helpful

pavlicekdevid
Level 1
Level 1

‎03-07-2020 02:03 AM

309368103 It seems more as a bug to me. With the option "Validate unsigned DNSSEC replies" enabled on my Router (Asus RT-AC88U) it is only not working on the Production resolvers (208.67.222.222, 208.67.220.220).

As i suspected it is a issue on the OpenDNS side, as they changed now the date for the Production resolvers to March 10, 2020. Before it was February 24, 2020.  You can check this forum post also. 

 

 

0 Helpful

rotblitz
Level 6
Level 6

‎03-07-2020 05:14 AM

Ok, this may be the reason for not working.  I still do not understand what your router has to do with it though.  The routers I know do not have such settings.

0 Helpful

pavlicekdevid
Level 1
Level 1

‎03-07-2020 05:41 AM

Enabling DNSSEC in the Router ensures the validation over the "last mile". 

“Enabling DNSEC in the router GUI ensures DNSSEC validation over the ‘last mile’, ie, between the DNS server & you.
So, Cloudflare (or Google, or Quad9) does DNSSEC=yes: enabling locally means you are verifying locally what you get from Cloudflare (or Google, Quad9) as being still ok, not tampered with, when it gets to you. (found here)“

“While DNSSEC ensures integrity of data between a resolver and an authoritative server, it does not protect the privacy of the “last mile” towards you. DNS resolver, 1.1.1.1, supports both emerging DNS privacy standards - DNS-over-TLS, and DNS-over-HTTPS, which both provide last mile encryption to keep your DNS queries private and free from tampering. (found here)”

0 Helpful

rotblitz
Level 6
Level 6

‎03-07-2020 06:10 AM

I see now. Thanks. It looks like my router does this automatically. Even better.

0 Helpful

pavlicekdevid
Level 1
Level 1

‎03-11-2020 03:42 AM

For anyone who is reading this and is also interested to implement DNSSEC to the "last mile" I am reporting that this now works perfectly on the production resolvers too.

Customers Also Viewed These Support Documents