Yeah, I find this confusing now, too, that there are some servers that only do DoT.
I thought about splitting it into an extra table, but that does not seem like a good idea. An extra column is very tight. I think we should just mark when a server does DoT only. Otherwise leave it blank and add the DoT hostname which indicates that DoT is supported as well.
There isnât really DNSSEC only. All servers listed must support DNSSEC. They are automatically compatible with resolvers that do not support DNSSEC, but IPFire requires it, so it does not matter.
We do not care if the upstream resolver validates DNSSEC signatures or not.
We may be saying similar things in different ways.
To me there are a few different combinations:
DNS servers that do DoT and DNSSEC
DoT only (no plain DNSSEC)
And no DoT (what I call DNSSEC only)
And by having a DoT only I think we are missing a combination.
Please keep in mind much of my confusion comes from not fully understanding DNS, DNSSEC, DoT (and maybe DoH). And Iâm trying to make the List of Public DNS Servers understandable for the NOOB level of user.
Iâm not sure I understand this⌠I thought we did want DNSSEC.
The List of Public DNS Servers as i understand, is the minimum DNSSEC what a server should have. Thats why i dont understand why some entrys in it with DoT only. They should in the List below Unusable DNS Providers because they have no DNSSec?
If you do that this way the List of Public DNS Servers is for me already logical. All in the List have DNSSEC and if a DoT Hostname entry in it also it have DoT. So in my opinion only the DoT only entry should move as i said.
Yes, those are currently all listed servers that have a DoT hostname.
They all do DNSSEC, too. And they must. But DoT and DNSSEC are not exclusive. DoT is only a way of transporting packets. What is in the packets does not matter to it. But since servers that do DoT are quite modern, they all support DNSSEC.
So i dont see any diffrence in the List between entry with Dot only and without that information. All use DNSSEC. So the information about Dot only make no sense for me.
@ms - I tried to make things simpler on a test-playground wiki page. This is not final and should be considered a draft.
Legend for List: DS = plain DNSSEC service only (no DoT service) DoT = DNS-over-TLS service only (no plain DNSSEC service) DS-DT = Server offers both plain DNSSEC service and DNS-over-TLS service
It took me a week to figure things out. And I am not sure I can explain it.
There is a plain (or simple) DNSSEC. This is used without a certificate. On the Domain Name System webpage at menu Network â Domain Name System see the Protocol for DNS queries = UDP
So to me a UDP protocol for a DNS query is a plain (or simple) DNSSEC.
I have not looked into the TCP protocol for a DNS query.
There is DoT (and yes, with DNSSEC). This is used with a certificate. And this is what was implemented in Core 141 (and 142). On the Domain Name System webpage at menu Network â Domain Name System see the Protocol for DNS queries = TLS
I make no secret, i feel really piâŚed about it. I have 1 Question. Noone answered yet. How can it be that you say all DoT Server have DNSSEC and after its totally normal that DoT only (without DNSSEC) are in the List?
I cant understand this!
You should not forget that iam only a noob iam no expert.
Even though this is simple, it isnât intuitive enough either.
I understand where you are coming from. I was (and probably still am) in the same boat. Part of the issue for me is creating an explanation for the above that is meaningful.
EDIT: added table
Current Name
Description
Comments
0
DNS plain
no DNSSEC and no DoT
not recommended by IPFire
1
DNSSEC plain
plain DNSSEC service only
no DoT service
2
DoT Only
DNS-over-TLS service with DNSSEC
no plain DNSSEC service
3
ALL
plain DNSSEC service & DNS-over-TLS service with DNSSEC
Yay!
EDIT2: added DNS server examples for each level:
0 - DNS plain = Level3 / CenturyLink - 4.2.2.1 or SafeDNS - 195.46.39.39, 195.46.39.40
1 - DNSSEC plain = Quad9 (dns.quad10.net) - 9.9.9.10 or SprintLink (ns1.sprintlink.net) 204.117.214.10
2 - DoT Only = dns.digitale-gesellschaft.ch or Xfinity (dot.xfinity.com) - 185.95.218.42
3 - ALL - Google (dns.google) - 8.8.8.8 or Cloudflare (cloudflare-dns.com) - 1.1.1.1
I cannot find a single question mark in your previous post. Clearly nobody saw that you asked a question here. It wonât help anyone to spread negative energy here and disguise it as âhonestyâ. You will have to help others helping you.
On the matter of how to make the page intuitive again, I guess if there is so much confusion, we should rather consider splitting the list in three parts again:
a) Servers that support UDP/TCP (and potentially TLS by adding the TLS hostname)
b) Servers that only support TLS
c) Servers that we donât support
The logic behind that is that we wonât need an extra row with an abbreviation that isnât intuitive or rather complex.
People who just need to add one or more DNS servers will find the large table at the top of the page, pick one, hit save, done. Those who care about TLS will scroll further and will find the other table (we could even duplicate some from the one above).
That will make the task that most people use the page for very easy without adding any extra complexity.
The point is that servers with DoT are quite modern and would forward DNSSEC signatures. Of course they can still filter DNSSEC signatures for spoffed replies (i.e. content filtering), but that breaks DNSSEC although it is technically supported.