-
Notifications
You must be signed in to change notification settings - Fork 252
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Not all servers labelled as supporting DNSSEC actually do #872
Comments
I can't read images, sorry. DNSSEC support is reported by
What resolvers did you find not supporting DNSSEC while they had the DNSSEC bit set in their stamp? |
Does the current workflow tests if the stamp is advertising the resolver as DNSSEC-enabled but we couldn't get the response for |
It doesn't. Maybe we can use |
Added this to my regular check scripts. And sure enough, it quickly detected quite a few resolvers that advertise DNSSEC but don't support it. I'm going to add it to prcheck and to the status monitor. |
Probably I'm doing it wrong but both with https://dnscheck.tools/ ("Great! Your DNS responses are authenticated with DNSSEC") and using How to get the correct result? |
I just set
|
Thanks, so:
|
"DNSSEC signed" is printed in the section about the domain name you are querying, not the server properties. |
@c3d1c06c-bf26-477e-b0eb-c50ef4477ba6
Manually I'd use this to verify resolver's functionality
and
to verify it's DNSSEC; It should return |
It would be useful to do the test in reverse too; When a resolver doesn't advertise DNSSEC (human error during addition) but it indeed does support DNSSEC. |
I have
require_dnsssec = true
set in my config and am only using dnscrypt servers from the default server list, yet when I use https://dnscheck.tools/ to check DNSSEC support, I'll sometimes get it saying DNSSEC is supported, and sometimes it will say it isn't. Here is an example of when it isn't.The text was updated successfully, but these errors were encountered: