Yeah, I find this confusing now, too, that there are some servers that only do DoT.
I thought about splitting it into an extra table, but that does not seem like a good idea. An extra column is very tight. I think we should just mark when a server does DoT only. Otherwise leave it blank and add the DoT hostname which indicates that DoT is supported as well.
Does that make sense?
There are DoT only, and there are DNSSEC only.
Agree
I think our only two choices are extra small width column or extra rows. And extra rows make the page really l-o-n-g.
If we add a (DoT only) to the hostname, we should have a (DNSSEC only). This will make the hostname column âcrowdedâ.
I created a playground page with an extra column. (This is just for testing)
There isnât really DNSSEC only. All servers listed must support DNSSEC. They are automatically compatible with resolvers that do not support DNSSEC, but IPFire requires it, so it does not matter.
We do not care if the upstream resolver validates DNSSEC signatures or not.
We may be saying similar things in different ways.
To me there are a few different combinations:
And by having a DoT only I think we are missing a combination.
Please keep in mind much of my confusion comes from not fully understanding DNS, DNSSEC, DoT (and maybe DoH). And Iâm trying to make the List of Public DNS Servers understandable for the NOOB level of user.
Iâm not sure I understand this⌠I thought we did want DNSSEC.
The List of Public DNS Servers as i understand, is the minimum DNSSEC what a server should have. Thats why i dont understand why some entrys in it with DoT only. They should in the List below Unusable DNS Providers because they have no DNSSec?
If you do that this way the List of Public DNS Servers is for me already logical. All in the List have DNSSEC and if a DoT Hostname entry in it also it have DoT. So in my opinion only the DoT only entry should move as i said.
Yes, those are currently all listed servers that have a DoT hostname.
They all do DNSSEC, too. And they must. But DoT and DNSSEC are not exclusive. DoT is only a way of transporting packets. What is in the packets does not matter to it. But since servers that do DoT are quite modern, they all support DNSSEC.
They are just a âplainâ server for our case.
I hope this cleared things up?!
No, now iam confused too 
because
So i dont see any diffrence in the List between entry with Dot only and without that information. All use DNSSEC. So the information about Dot only make no sense for me.
Concerning the Table/List this confused me also! See my comments here:
I understand.
We are saying the same thing but different ways. Different combinations reworded:
Make sense?
No, not for me
As i said before or better in other words. If DoT Server all have DNSSEC, DoT only without DNSSEC can not exists. Its absolute unlogical
@ms - I tried to make things simpler on a test-playground wiki page. This is not final and should be considered a draft.
Legend for List:
DS = plain DNSSEC service only (no DoT service)
DoT = DNS-over-TLS service only (no plain DNSSEC service)
DS-DT = Server offers both plain DNSSEC service and DNS-over-TLS service
See: https://wiki.ipfire.org/dns/public-servers/playground
It took me a week to figure things out. And I am not sure I can explain it.
So to me a UDP protocol for a DNS query is a plain (or simple) DNSSEC.
I have not looked into the TCP protocol for a DNS query.
And to me a TLS protocol for a DNS query is DoT server.
Some DNS servers do only Item 1. Some DNS servers do only Item 2. And some DNS servers do both.
In the US I am having trouble finding DoT servers that trustworthy and fast (and somewhat close by).
I try to explain
If you use the default UDP it say nothing about the server DNSSEC. It can be
Normal DNS without DNSSEC (not signed)
and also it can be
DNS Server with DNSSEC (signed)
Both DNS Server with DNSSEC + DNS encrypted (DoT)
And both because
And thats why for me again and again DoT only makes no sense
I think this isnât really it. The abbreviations are not intuitive enough.
I would keep the extra column and simply put âDoT onlyâ there as we had before and that is it. It is simple, but effective.
I have no idea what you are talking about. But the zones are always signed. That does not depend on the upstream DNS server.
IPFire always enforces DNSSEC. Therefore I consider it irrelevant for this table. It is a given.
I make no secret, i feel really piâŚed about it. I have 1 Question. Noone answered yet. How can it be that you say all DoT Server have DNSSEC and after its totally normal that DoT only (without DNSSEC) are in the List?
I cant understand this!
You should not forget that iam only a noob iam no expert.
After staring at it for a day I agree.
Even though this is simple, it isnât intuitive enough either.
I understand where you are coming from. I was (and probably still am) in the same boat. Part of the issue for me is creating an explanation for the above that is meaningful.
EDIT: added table
| Current Name | Description | Comments | |
|---|---|---|---|
| 0 | DNS plain | no DNSSEC and no DoT | not recommended by IPFire |
| 1 | DNSSEC plain | plain DNSSEC service only | no DoT service |
| 2 | DoT Only | DNS-over-TLS service with DNSSEC | no plain DNSSEC service |
| 3 | ALL | plain DNSSEC service & DNS-over-TLS service with DNSSEC | Yay! |
EDIT2: added DNS server examples for each level:
0 - DNS plain = Level3 / CenturyLink - 4.2.2.1 or SafeDNS - 195.46.39.39, 195.46.39.40
1 - DNSSEC plain = Quad9 (dns.quad10.net) - 9.9.9.10 or SprintLink (ns1.sprintlink.net) 204.117.214.10
2 - DoT Only = dns.digitale-gesellschaft.ch or Xfinity (dot.xfinity.com) - 185.95.218.42
3 - ALL - Google (dns.google) - 8.8.8.8 or Cloudflare (cloudflare-dns.com) - 1.1.1.1
I cannot find a single question mark in your previous post. Clearly nobody saw that you asked a question here. It wonât help anyone to spread negative energy here and disguise it as âhonestyâ. You will have to help others helping you.
On the matter of how to make the page intuitive again, I guess if there is so much confusion, we should rather consider splitting the list in three parts again:
a) Servers that support UDP/TCP (and potentially TLS by adding the TLS hostname)
b) Servers that only support TLS
c) Servers that we donât support
The logic behind that is that we wonât need an extra row with an abbreviation that isnât intuitive or rather complex.
People who just need to add one or more DNS servers will find the large table at the top of the page, pick one, hit save, done. Those who care about TLS will scroll further and will find the other table (we could even duplicate some from the one above).
That will make the task that most people use the page for very easy without adding any extra complexity.
What do you think?
I have also feelings about you Dont worry i love you
I help you out and mark it for you
The point is that servers with DoT are quite modern and would forward DNSSEC signatures. Of course they can still filter DNSSEC signatures for spoffed replies (i.e. content filtering), but that breaks DNSSEC although it is technically supported.
So if i understand b correct, this entry in the List dont get IP entry only TLS name?
If so its nearly the same i said 7 days ago
Btw. I dont think that anyone else think i spread negative energy
