Not all servers labelled as supporting DNSSEC actually do

[unbeatable-101]

I have require_dnsssec = true set in my config and am only using dnscrypt servers from the default server list, yet when I use https://dnscheck.tools/ to check DNSSEC support, I'll sometimes get it saying DNSSEC is supported, and sometimes it will say it isn't. Here is an example of when it isn't.

[unbeatable-101]

Sorry, that was a bad example, for some reason iCloud private relay turned itself back on (though that really should support DNSSEC), though it does happen with it actually disabled like here:

[jedisct1]

I can't read images, sorry.

DNSSEC support is reported by dnscrypt-proxy -resolve:

$ dnscrypt-proxy -resolve example.com

./dnscrypt-proxy -resolve example.com
Resolving [example.com] using 127.0.0.1 port 53

Resolver      : 74.125.47.9
...
Name servers  : a.iana-servers.net., b.iana-servers.net.
DNSSEC signed : yes

What resolvers did you find not supporting DNSSEC while they had the DNSSEC bit set in their stamp?

[demarcush]

Does the current workflow tests if the stamp is advertising the resolver as DNSSEC-enabled but we couldn't get the response for example.com with DNSSEC signed : yes?

[jedisct1]

It doesn't. Maybe we can use -list -json to get the DNSSEC information from the stamp, and indeed compare that to the output of -resolve.

[jedisct1]

Added this to my regular check scripts. And sure enough, it quickly detected quite a few resolvers that advertise DNSSEC but don't support it.

I'm going to add it to prcheck and to the status monitor.

[c3d1c06c-bf26-477e-b0eb-c50ef4477ba6]

Probably I'm doing it wrong but both with https://dnscheck.tools/ ("Great! Your DNS responses are authenticated with DNSSEC") and using dnscrypt-proxy -resolve example.com ("DNSSES signed : yes") I get positive results for e.g. UncensoredDNS.

How to get the correct result?

[jedisct1]

Probably I'm doing it wrong but both with https://dnscheck.tools/ ("Great! Your DNS responses are authenticated with DNSSEC") and using dnscrypt-proxy -resolve example.com ("DNSSES signed : yes") I get positive results for e.g. UncensoredDNS.

I just set server_names = ['uncensoreddns-dk-ipv4'], and ran dnscrypt-proxy -resolve example.com:

Resolving [example.com] using 127.0.0.1 port 53

Resolver      : 89.233.43.71 (unicast.censurfridns.dk.)
Lying         : no
DNSSEC        : no, the resolver doesn't support DNSSEC
ECS           : ignored or selective

[c3d1c06c-bf26-477e-b0eb-c50ef4477ba6]

Thanks, so:

1. Only 1 server is allowed in server_names.
2. One needs to look at "DNSSEC", not "DNSSEC signed".
3. https://dnscheck.tools/ checks the response, i.e. gives the same result as "DNSSEC signed".

[jedisct1]

"DNSSEC signed" is printed in the section about the domain name you are querying, not the server properties.

[demarcush]

@c3d1c06c-bf26-477e-b0eb-c50ef4477ba6

How to get the correct result?

Manually I'd use this to verify resolver's functionality

$ dnslookup go.dnscheck.tools [stamp]

and

$ dnslookup badsig.go.dnscheck.tools [stamp]

to verify it's DNSSEC; It should return SERVFAIL if DNSSEC.

[demarcush]

It would be useful to do the test in reverse too; When a resolver doesn't advertise DNSSEC (human error during addition) but it indeed does support DNSSEC.
@jedisct1