Enable DNSSEC support question

[jgrove]

Hi All,

Should i turn on the option "Enable DNSSEC support" in Merlins firmware? Sorry for such a bland question,

Thanks

 

[RMerlin]

It protects you against spoofed DNS entries, so it's not a bad idea. The only problem is that a very, very small percentage of the Internet has DNSSEC-signed zones, so it's of a limited use.

Read on what it does and decide for yourself: https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions

 

[jgrove]

It protects you against spoofed DNS entries, so it's not a bad idea. The only problem is that a very, very small percentage of the Internet has DNSSEC-signed zones, so it's of a limited use.

Read on what it does and decide for yourself: https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions

Thank you i appreciate your post,

Regards

 

[peraburek]

I am using OpenDNS servers (they should be DNSSEC capable)

here is DNSSEC test, but I can't get it to work (
http://dnssec.vs.uni-due.de/

on LAN - DHCP Server - DNSSEC is Enabled

any idea how to test this, get it working?
AC68U running - 380.58_alpha3

 

[Veldkornet]

I am using OpenDNS servers (they should be DNSSEC capable)

here is DNSSEC test, but I can't get it to work (
http://dnssec.vs.uni-due.de/

on LAN - DHCP Server - DNSSEC is Enabled

any idea how to test this, get it working?

OpenDNS does not have DNSSEC, they only have DNSCrypt

You can try Google's DNS servers, they are DNSSEC capable, although they don't have DNSCrypt.

8.8.8.8
8.8.4.4
2001:4860:4860::8888
2001:4860:4860::8844

DNSCrypt.eu is both DNSSEC and DNSCrypt capable, never tried them myself though.

Here's some more DNSSEC test pages:

http://dnssec-tools.org/ (Gives Green Pass message)
http://www.dnssec-failed.org/ (Page Shouldn’t Display if working)
https://dnssectest.sidnlabs.nl/ (Gives Green Pass Tick)
http://www.dnssec.nl/home.html (Gives green ticks of DNSSEC and IPv6 on top of page)

Sent from my iPhone using Tapatalk

 

[peraburek]

@Veldkornet - thank you, it works with google public dns
I didn't knew that OpenDNS doesn't support DNSSEC
I have red something about OpenDNS and DNSCrypt, but I don't recall if they have stated anywhere they don't support DNSSEC. Anyway, issue is resolved cheers

 

[Veldkornet]

OpenDNS do say the following here on their site:

3. What about DNSSEC? Does this eliminate the need for DNSCrypt?
No. DNSCrypt and DNSSEC are complementary. DNSSEC does a number of things. First, it provides authentication. (Is the DNS record I’m getting a response for coming from the owner of the domain name I’m asking about or has it been tampered with?) Second, DNSSEC provides a chain of trust to help establish confidence that the answers you’re getting are verifiable. But unfortunately, DNSSEC doesn’t actually provide encryption for DNS records, even those signed by DNSSEC. Even if everyone in the world used DNSSEC, the need to encrypt all DNS traffic would not go away. Moreover, DNSSEC today represents a near-zero percentage of overall domain names and an increasingly smaller percentage of DNS records each day as the Internet grows.
That said, DNSSEC and DNSCrypt can work perfectly together. They aren’t conflicting in any way. Think of DNSCrypt as a wrapper around all DNS traffic and DNSSEC as a way of signing and providing validation for a subset of those records. There are benefits to DNSSEC that DNSCrypt isn’t trying to address. In fact, we hope DNSSEC adoption grows so that people can have more confidence in the entire DNS infrastructure, not just the link between our customers and OpenDNS.

So I found it weird that they don't support it. But to be sure, I logged a ticket with them and got the following response:

Currently DNSSEC is not implemented and there is no ETA on when it wil be.

I hope this helps.

Sent from my iPhone using Tapatalk

 

[peraburek]

thank you @Veldkornet - for asking OpenDNS if/when they will support DNSSEC

as you said, quoting their sentence "DNSCrypt and DNSSEC are complementary." it makes no sense they don't support DNSSEC if they have to run DNSSEC in order for DNSCrypt to work
I have changed for the moment to Google Public DNS

 

[Veldkornet]

thank you @Veldkornet - for asking OpenDNS if/when they will support DNSSEC

as you said, quoting their sentence "DNSCrypt and DNSSEC are complementary." it makes no sense they don't support DNSSEC if they have to run DNSSEC in order for DNSCrypt to work
I have changed for the moment to Google Public DNS

FYI, I see on the OpenDNS site you can "vote" to have it implemented here.
Currently only 5 people have voted for it.

 

[Zirescu]

thank you @Veldkornet - for asking OpenDNS if/when they will support DNSSEC

as you said, quoting their sentence "DNSCrypt and DNSSEC are complementary." it makes no sense they don't support DNSSEC if they have to run DNSSEC in order for DNSCrypt to work
I have changed for the moment to Google Public DNS

No, DNSSEC isn't required for DNSCrypt to work.

 

[Veldkornet]

No, DNSSEC isn't required for DNSCrypt to work.

Yes we know... I think you misread the posts.

 

[Zirescu]

Pretty sure I didn't: "it makes no sense they don't support DNSSEC if they have to run DNSSEC in order for DNSCrypt to work"

 

[choleric]

Bit of an old thread, sorry. I hope it's not too late to do a little CPR on it.

I had never enabled the DNSSEC setting until now. Looks like the provider I've been using, Norton ConnectSafe, supports DNSSEC.

https://dns.norton.com/

HTH

 

[sfx2000]

It protects you against spoofed DNS entries, so it's not a bad idea. The only problem is that a very, very small percentage of the Internet has DNSSEC-signed zones, so it's of a limited use.

Read on what it does and decide for yourself: https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions

https://developers.google.com/speed/public-dns/docs/security

They'll securely track you

 

[Morac]

Sorry for bumping an old thread, but I have a question. I have Comcast which has DNSSEC enable DNS. I have not turned on the "Enable DNSSEC support" option in the Merlin firmware, yet I still indications that DNSSEC is working when I go to the test pages listed in this thread?

Any idea why that is? What exactly does the "Enable DNSSEC support" option do then? Does it just enable DNSSEC support for the router's DNS server?

 

[RMerlin]

Sorry for bumping an old thread, but I have a question. I have Comcast which has DNSSEC enable DNS. I have not turned on the "Enable DNSSEC support" option in the Merlin firmware, yet I still indications that DNSSEC is working when I go to the test pages listed in this thread?

Any idea why that is? What exactly does the "Enable DNSSEC support" option do then? Does it just enable DNSSEC support for the router's DNS server?

What DNS are you using on your test computer? If you aren't using your router's IP but directly using the ISP's DNS, that would be why.

 

[Morac]

What DNS are you using on your test computer? If you aren't using your router's IP but directly using the ISP's DNS, that would be why.

DNS is the router's ip address.

 

[RMerlin]

DNS is the router's ip address.

Then I have no idea how it could be reporting DNSSEC support, unless something in their test is flawed.

 

[Morac]

Then I have no idea how it could be reporting DNSSEC support, unless something in their test is flawed.

I tested a bunch of sites and all sites are reporting DNSSEC is active.

Is the router simply passing along DNS requests to the WAN DHCP assigned DNS servers if they have DNSSEC in them?

 

[RMerlin]

I tested a bunch of sites and all sites are reporting DNSSEC is active.

Is the router simply passing along DNS requests to the WAN DHCP assigned DNS servers if they have DNSSEC in them?

The router passes the request to upstream servers, howver it's the one delivering the result to your client.