Advice opendns dnssec

Hello, I found out that finally opendns can use dnssec ( 208.67.222.222 dns.opendns.com), why is not recommended this dns?

Maybe because of this:

Decide by yourself what you like to use.

BR
Trash

yeah , I read about itā€¦ but I didnā€™t understand very well what is the issue about ā€œStrips all DNS signatures and is therefore entirely unusableā€

DNSSEC operates on a principle of a chain of trust, originating from a universally acknowledged root and proceeding through the DNS hierarchy. Each level is authenticated using cryptographic signatures.

Upon receipt of a DNSSEC-enabled DNS response, which includes digital signatures and keys, the DNS resolver initiates verification of the responseā€™s authenticity. This process begins by using the rootā€™s public key to validate the digital signature of the subsequent level in the DNS hierarchy (e.g., .com, .org, .net, etc.). The process repeats, moving down each level of the DNS hierarchy, verifying the signature of each DNS record using the public key of the level above it.

This verification procedure forms a ā€˜chainā€™ of validations extending from the root to the final DNS record. If every link in the chain is validated, the DNS record is considered trustworthy. However, if any validation fails, the record is determined untrusted, and the resolver should return an error. This chain of trust ensures the reliability and authenticity of DNS responses.

A DNS resolver that technically supports DNSSEC but disregards these signature validations undermines the very essence of DNSSEC. By sidestepping DNSSECā€™s core functionality, it fails to protect against DNS spoofing and ensure data integrity.

Why use DNSSEC at all if a resolver is discarding the security benefits?

4 Likes

ok thank you for the explanation!!! Just to check ā€¦ I was using this site to query the resolver:

https://dnsviz.net/d/resolver1.opendns.com/dnssec/

looks like the last step is ā€œinsecureā€, is that the problem?

Decide by yourself what you like to use and what and whom you trust or trust more.

BR
Trash

Yes, I think so.

1 Like