Ed448 test failing at rootcanary.org/test.html
I am getting it to show green using local dnssec validation. But it works on PC only for now. Will have to install something on smartyphone and tablet too if you cannot fix the issue. Even Google public DNS doesn't support ed448 apparently because they use BoringSSL and failed to implement it or something. I chose it for my domain recently thinking that by now all major public resolvers support it but it seems I was wrong. I do seem to recall seeing green previously when using adguard dns but that is no longer the case sadly.
4 replies
-
I managed to get local dnssec validation working on my phone and tablet also. And this is indeed a bug since the logs at https://my.nextdns.io do show "Validated with DNSSEC." even for domains using the ED448 algorithm.
Anyway, using unbound on my phone and tablet to do the local dnssec validation now. On PC also it is being done by unbound installed on router. Was easy since it is openwrt. But getting it working on phone and tablet was not so easy. They are also sometimes connected to router, and could have used the validation done by the router, but it would not have worked when using mobile data. And the device identification feature also would not have worked I suppose.
Anyway, I made it into a magisk module and have posted it on xda-developers also now if anybody is interested in trying it out - https://forum.xda-developers.com/t/module-unbound-dns-resolver.4610615/ .
And of course, I now also have all green on ed448.no and rootcanary.org/test.html also.
-
I tried to check with Cloudflare DNS but same result. DNSSEC is a DNS security feature that validates records so that they are not attacked by changing DNS records.
Local recursive DNS servers are usually supported early, large servers update more slowly with new security features. But DNSSEC versions are still useful there is nothing to worry about.
Check using https://dnscheck.tools/
and https://cmdns.dev.dns-oarc.net/
-
Yes, I know there is nothing to worry about. But as mentioned in my previous post, the logs available at https://my.nextdns.io are showing "Validated with DNSSEC." for Ed448 domains also even though validation is failing according to rootcanary.org. As such, I thought I would post it as a bug report since I found this easy to use forum. Otherwise I doubt I would have reported it.
And as mentioned in first post, I am using it for my domain now and obviously I would prefer that it be properly validated. That is why I have set up local dnssec validation on my devices now. Now I can use resolvers which do not support dnssec at all also if I want. I mentioned in my xda post that OpenDNS doesn't support dnssec but apparently they have been supporting it since 2020 (https://support.opendns.com/hc/en-us/articles/360039659971-DNSSEC-General-Availability). But when I checked recently I seem to recall seeing all yellow. Must have been cached results or something because when I tested again after my xda post, it was showing green for Ed448 also. How embarrassing.
They still do not support DNS over TLS though, so you cannot use android's "Private DNS" setting for OpenDNS (which is what I was using for NextDNS). Unless they have added DoT support also in the near past and I somehow do not know (Edit: Hahaa, that is exactly what has happened again it seems - https://umbrella.cisco.com/blog/enhancing-support-dns-encryption-with-dns-over-https). I did find an article on zdnet just yesterday that seems to be implying that you can just put 208.67.222.222 on android's "Private DNS" setting, even though that is not the case (https://www.zdnet.com/article/how-to-turn-on-private-dns-mode-on-android-and-why-you-should/).
-
Thought I would post this screenshot from the "logs" section in https://my.nextdns.io.
It is one of my domains and is using the Ed448 algorithm now as you can confirm here also - https://dnsviz.net/d/srv1.n3t.in/dnssec/.
Content aside
- 9 mths agoLast active
- 4Replies
- 140Views
-
2
Following