Advice opendns dnssec

Hello, I found out that finally opendns can use dnssec ( 208.67.222.222 dns.opendns.com), why is not recommended this dns?

Maybe because of this:

Decide by yourself what you like to use.

BR
Trash

yeah , I read about it… but I didn’t understand very well what is the issue about “Strips all DNS signatures and is therefore entirely unusable”

DNSSEC operates on a principle of a chain of trust, originating from a universally acknowledged root and proceeding through the DNS hierarchy. Each level is authenticated using cryptographic signatures.

Upon receipt of a DNSSEC-enabled DNS response, which includes digital signatures and keys, the DNS resolver initiates verification of the response’s authenticity. This process begins by using the root’s public key to validate the digital signature of the subsequent level in the DNS hierarchy (e.g., .com, .org, .net, etc.). The process repeats, moving down each level of the DNS hierarchy, verifying the signature of each DNS record using the public key of the level above it.

This verification procedure forms a ‘chain’ of validations extending from the root to the final DNS record. If every link in the chain is validated, the DNS record is considered trustworthy. However, if any validation fails, the record is determined untrusted, and the resolver should return an error. This chain of trust ensures the reliability and authenticity of DNS responses.

A DNS resolver that technically supports DNSSEC but disregards these signature validations undermines the very essence of DNSSEC. By sidestepping DNSSEC’s core functionality, it fails to protect against DNS spoofing and ensure data integrity.

Why use DNSSEC at all if a resolver is discarding the security benefits?

4 Likes

ok thank you for the explanation!!! Just to check … I was using this site to query the resolver:

https://dnsviz.net/d/resolver1.opendns.com/dnssec/

looks like the last step is “insecure”, is that the problem?

Decide by yourself what you like to use and what and whom you trust or trust more.

BR
Trash

Yes, I think so.

1 Like