dnssec and DoT incompatibility question

jc1976 · Nov 11, 2021, 4:12 PM

Can anyone explain why these are incompatible with one another?

Thanks!

johnpoz · Nov 11, 2021, 4:20 PM

@jc1976 they aren't

If where you forward, and talk to via dot is doing dnssec - then dnssec will be used. quad9 for example does dnssec.. So if you forward to quad9 and are using dot, you will get dnssec.

What isn't really a valid configuration is asking for dnssec when you forward. To where you forward is doing dnssec or they are not. If you forward and ask for dnssec it doesn't mean really anything.. And it pointless sort of config.

https://www.quad9.net/support/faq/#dns_tls
Does Quad9 support DNS over TLS?

We do support DNS over TLS on port 853 (the standard) using an auth name of dns.quad9.net.

https://www.quad9.net/support/faq/#dnssec
Yes. Quad9 provides DNSSEC validation on our primary resolvers.

9.9.9.9, 149.112.112.112
2620:fe::fe, 2620:fe::9

In addition we validate DNSSEC on our EDNS enabled service.

9.9.9.11, 149.112.112.11
2620:fe::11, 2620:fe::fe:11

This means that for domains that implement DNSSEC security, the Quad9 system will cryptographically ensure that the response provided matches the intended response of the domain operator. In the event of a cryptographic failure, our system will not return an answer at all. This ensures protection against domain spoofing or other attacks that attempt to provide false data. Learn more about DNSSEC here: https://www.icann.org/resources/pages/dnssec-qaa-2014-01-29-en

jc1976 · Nov 11, 2021, 5:06 PM

@johnpoz i think i get what you're saying..

basically if the upstream dns supports DoT and you're using it, you dont need to validate with DNSSEC because you're already validating via DoT.. (is that correct?).

and at that point, if DNS had been 'poisoned', it's on the upstream dns provider (cloudflare in my case), and we (the users) can't do anything about that anyway..

johnpoz · Nov 11, 2021, 5:31 PM

@jc1976 said in dnssec and DoT incompatibility question:

with DNSSEC because you're already validating via DoT.

Not even close...

DOT and dnssec are completely different things that have zero to do with each other.

If the resolver your forwarding to is doing dnssec - does matter if you ask them over in the clear normal dns over udp 53, or you ask them over dot..

If your resolver your forwarding to isn't doing dnssec - you can ask them all you want for dnssec is means nothing.. Be it you ask them over open udp 53 or via dot. All dot does in encrypt what what your asking the NS your forwarding to, and should validate that your actually talking to that specific company NS.. That is not what dnssec is - dnssec is validating that www.domain.tld that was resolved from the SOA is actually what the soa of that domain says it is..

jc1976 · Nov 11, 2021, 8:12 PM

@johnpoz

thanks for clarifying.
Why is there a compatibility issue between DoT and dnssec?

johnpoz · Nov 11, 2021, 8:46 PM

@jc1976 said in dnssec and DoT incompatibility question:

Why is there a compatibility issue between DoT and dnssec?

There ISN'T as I just went over!!

If your going to forward be it your doing normal udp 53 or dot.. Uncheck to use dnssec - because it doesn't matter.. Where you forward to is either doing dnssec or they are not.. You checking that box isn't going to do anything but cause extra dns queries..