Hello, I found out that finally opendns can use dnssec ( 208.67.222.222 dns.opendns.com), why is not recommended this dns?
Maybe because of this:
Decide by yourself what you like to use.
BR
Trash
yeah , I read about itā¦ but I didnāt understand very well what is the issue about āStrips all DNS signatures and is therefore entirely unusableā
DNSSEC operates on a principle of a chain of trust, originating from a universally acknowledged root and proceeding through the DNS hierarchy. Each level is authenticated using cryptographic signatures.
Upon receipt of a DNSSEC-enabled DNS response, which includes digital signatures and keys, the DNS resolver initiates verification of the responseās authenticity. This process begins by using the rootās public key to validate the digital signature of the subsequent level in the DNS hierarchy (e.g., .com, .org, .net, etc.). The process repeats, moving down each level of the DNS hierarchy, verifying the signature of each DNS record using the public key of the level above it.
This verification procedure forms a āchainā of validations extending from the root to the final DNS record. If every link in the chain is validated, the DNS record is considered trustworthy. However, if any validation fails, the record is determined untrusted, and the resolver should return an error. This chain of trust ensures the reliability and authenticity of DNS responses.
A DNS resolver that technically supports DNSSEC but disregards these signature validations undermines the very essence of DNSSEC. By sidestepping DNSSECās core functionality, it fails to protect against DNS spoofing and ensure data integrity.
Why use DNSSEC at all if a resolver is discarding the security benefits?
ok thank you for the explanation!!! Just to check ā¦ I was using this site to query the resolver:
https://dnsviz.net/d/resolver1.opendns.com/dnssec/
looks like the last step is āinsecureā, is that the problem?
Decide by yourself what you like to use and what and whom you trust or trust more.
BR
Trash
Yes, I think so.