1

DNSSEC - Subdomains

## I posted this in discussions because it didn't feel right in "Ideas"

 

Hello,

I've been using NextDNS ever since the Beta and have been very pleased with the service provided (even after it changed into paid it isn't expensive for what you are provided with)

And must say I am suprised with the performance the DNS provider has been able to deliver from the start (rarely had any issues, only minor ones but Anycast/UtraLow routing usually worked fine)

However ever since you began to implement the Ultra Low Latency Network I found that I started to get resolution errors,

I traced this back and saw that whenever dns.nextdns.io (or doh3. subdomain) is resolved it does a CNAME resolution to steering.nextdns.io (or doh3.steering.nextdns.io), however it would seem that DNSSEC is enabled on the dns subdomain but NOT on the steering subdomain.

Is it possible for NextDNS Team to enable DNSSEC on the steering subdomain (and potentially some others too?)

 

## Diagnostic Information ##

DNS Subdomains

https://dnsviz.net/d/dns.nextdns.io/dnssec/

https://dnsviz.net/d/dns1.nextdns.io/dnssec/

https://dnsviz.net/d/dns2.nextdns.io/dnssec/

https://dnsviz.net/d/doh3.dns.nextdns.io/dnssec/

https://dnsviz.net/d/doh3.dns1.nextdns.io/dnssec/

https://dnsviz.net/d/doh3.dns2.nextdns.io/dnssec/

Steering (NO DNSSEC)

https://dnsviz.net/d/steering.nextdns.io/dnssec/

https://dnsviz.net/d/doh3.steering.nextdns.io/dnssec/

Nameservers

https://dnsviz.net/d/ns1.nextdns.io/dnssec/

https://dnsviz.net/d/ns2.nextdns.io/dnssec/

Others (NO DNSSEC)

https://dnsviz.net/d/my.nextdns.io/dnssec/

https://dnsviz.net/d/help.nextdns.io/dnssec/

~ The resolution errors were because I rejected unsigned subdomains (nextdns.io and *.nextdns.io) but I'd prefer DNSSEC to be fully enabled if that is possible.

 

Thanks in advance,

A NextDNS User

5 replies

null
    • Stephen_Weber
    • 2 yrs ago
    • Reported - view

    steering.nextdns.io having no DNSSEC is causing quite some problems for me as well...

      • User
      • 2 yrs ago
      • Reported - view

      Stephen Weber I posted this thing in the wrong section so it recieved no answer. But NextDNS responded to me in a PM and the summary is:

      "steering is a dynamic DNS record and adding DNSSEC to it would prove to be very challenging, we mean to add it eventually but this will take up alot of time."

      If you got additional questions about this you should PM them as well or simply contact their support.

      Kind regards,

      • Pro subscriber ✓
      • DynamicNotSlow
      • 2 yrs ago
      • Reported - view

      User I wonder if Quad9 done this already. 

      • User
      • 2 yrs ago
      • Reported - view

      DynamicNotSlow 

      you should not use this post anymore as I abandoned it, but to answer it, no they validate DNSSEC but don't support DNSSEC for their domain which is just a big joke lmao, AdGuard has the exact same, 

      Hence I stopped recommending both of them ever since.

      I deem DNSSEC mandatory for resolvers using protocol such as DoH, DoT and DoQ (all of them use hostnames blabla.example.com, unlike DNSCrypt v2 for instance)

      • NextDNs
      • 2 yrs ago
      • Reported - view

      User you can use anycast.dns.nextdns.io if you want to skip the dynamic CNAME and have the whole chaine DNSSECed. Note that even though the steering CNAME is not signed, our resolvers still fully support and validate DNSSEC.

Login to reply

Content aside

  • 1 Likes
  • 2 yrs agoLast active
  • 5Replies
  • 417Views
  • 3 Following