What's new

Enable DNSSEC support question

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

jgrove

Regular Contributor
Hi All,

Should i turn on the option "Enable DNSSEC support" in Merlins firmware? Sorry for such a bland question,

Thanks
 
I am using OpenDNS servers (they should be DNSSEC capable)

here is DNSSEC test, but I can't get it to work :((
http://dnssec.vs.uni-due.de/

on LAN - DHCP Server - DNSSEC is Enabled

any idea how to test this, get it working?
AC68U running - 380.58_alpha3
 
Last edited:
I am using OpenDNS servers (they should be DNSSEC capable)

here is DNSSEC test, but I can't get it to work :((
http://dnssec.vs.uni-due.de/

on LAN - DHCP Server - DNSSEC is Enabled

any idea how to test this, get it working?

OpenDNS does not have DNSSEC, they only have DNSCrypt

You can try Google's DNS servers, they are DNSSEC capable, although they don't have DNSCrypt.

8.8.8.8
8.8.4.4
2001:4860:4860::8888
2001:4860:4860::8844

DNSCrypt.eu is both DNSSEC and DNSCrypt capable, never tried them myself though.

Here's some more DNSSEC test pages:

http://dnssec-tools.org/ (Gives Green Pass message)
http://www.dnssec-failed.org/ (Page Shouldn’t Display if working)
https://dnssectest.sidnlabs.nl/ (Gives Green Pass Tick)
http://www.dnssec.nl/home.html (Gives green ticks of DNSSEC and IPv6 on top of page)

Sent from my iPhone using Tapatalk
 
Last edited:
@Veldkornet - thank you, it works with google public dns
I didn't knew that OpenDNS doesn't support DNSSEC
I have red something about OpenDNS and DNSCrypt, but I don't recall if they have stated anywhere they don't support DNSSEC. Anyway, issue is resolved :) cheers
 
OpenDNS do say the following here on their site:

3. What about DNSSEC? Does this eliminate the need for DNSCrypt?
No. DNSCrypt and DNSSEC are complementary. DNSSEC does a number of things. First, it provides authentication. (Is the DNS record I’m getting a response for coming from the owner of the domain name I’m asking about or has it been tampered with?) Second, DNSSEC provides a chain of trust to help establish confidence that the answers you’re getting are verifiable. But unfortunately, DNSSEC doesn’t actually provide encryption for DNS records, even those signed by DNSSEC. Even if everyone in the world used DNSSEC, the need to encrypt all DNS traffic would not go away. Moreover, DNSSEC today represents a near-zero percentage of overall domain names and an increasingly smaller percentage of DNS records each day as the Internet grows.
That said, DNSSEC and DNSCrypt can work perfectly together. They aren’t conflicting in any way. Think of DNSCrypt as a wrapper around all DNS traffic and DNSSEC as a way of signing and providing validation for a subset of those records. There are benefits to DNSSEC that DNSCrypt isn’t trying to address. In fact, we hope DNSSEC adoption grows so that people can have more confidence in the entire DNS infrastructure, not just the link between our customers and OpenDNS.

So I found it weird that they don't support it. But to be sure, I logged a ticket with them and got the following response:

Currently DNSSEC is not implemented and there is no ETA on when it wil be.

I hope this helps.


Sent from my iPhone using Tapatalk
 
thank you @Veldkornet - for asking OpenDNS if/when they will support DNSSEC

as you said, quoting their sentence "DNSCrypt and DNSSEC are complementary." it makes no sense they don't support DNSSEC if they have to run DNSSEC in order for DNSCrypt to work
I have changed for the moment to Google Public DNS
 
thank you @Veldkornet - for asking OpenDNS if/when they will support DNSSEC

as you said, quoting their sentence "DNSCrypt and DNSSEC are complementary." it makes no sense they don't support DNSSEC if they have to run DNSSEC in order for DNSCrypt to work
I have changed for the moment to Google Public DNS

FYI, I see on the OpenDNS site you can "vote" to have it implemented here.
Currently only 5 people have voted for it.
 
thank you @Veldkornet - for asking OpenDNS if/when they will support DNSSEC

as you said, quoting their sentence "DNSCrypt and DNSSEC are complementary." it makes no sense they don't support DNSSEC if they have to run DNSSEC in order for DNSCrypt to work
I have changed for the moment to Google Public DNS
No, DNSSEC isn't required for DNSCrypt to work.
 
Pretty sure I didn't: "it makes no sense they don't support DNSSEC if they have to run DNSSEC in order for DNSCrypt to work"
 
Bit of an old thread, sorry. I hope it's not too late to do a little CPR on it.

I had never enabled the DNSSEC setting until now. Looks like the provider I've been using, Norton ConnectSafe, supports DNSSEC.

https://dns.norton.com/

HTH
 
Sorry for bumping an old thread, but I have a question. I have Comcast which has DNSSEC enable DNS. I have not turned on the "Enable DNSSEC support" option in the Merlin firmware, yet I still indications that DNSSEC is working when I go to the test pages listed in this thread?

Any idea why that is? What exactly does the "Enable DNSSEC support" option do then? Does it just enable DNSSEC support for the router's DNS server?
 
Sorry for bumping an old thread, but I have a question. I have Comcast which has DNSSEC enable DNS. I have not turned on the "Enable DNSSEC support" option in the Merlin firmware, yet I still indications that DNSSEC is working when I go to the test pages listed in this thread?

Any idea why that is? What exactly does the "Enable DNSSEC support" option do then? Does it just enable DNSSEC support for the router's DNS server?

What DNS are you using on your test computer? If you aren't using your router's IP but directly using the ISP's DNS, that would be why.
 
DNS is the router's ip address.

Then I have no idea how it could be reporting DNSSEC support, unless something in their test is flawed.
 
Then I have no idea how it could be reporting DNSSEC support, unless something in their test is flawed.

I tested a bunch of sites and all sites are reporting DNSSEC is active.

Is the router simply passing along DNS requests to the WAN DHCP assigned DNS servers if they have DNSSEC in them?
 
Last edited:
I tested a bunch of sites and all sites are reporting DNSSEC is active.

Is the router simply passing along DNS requests to the WAN DHCP assigned DNS servers if they have DNSSEC in them?

The router passes the request to upstream servers, howver it's the one delivering the result to your client.
 

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top