WingNews logo WingNews
top | item 47188478

(no title)

jcalvinowens | 2 days ago

No, modern resolvers like systemd-resolved actually check the dnssec signatures on the client.

discuss

order

tptacek|2 days ago

To check the DNSSEC signatures on the client, you have to do a full recursive lookup. You've always been able to run your own DNS cache, if you want your host to operate independently of any upstream DNS server. But at that point, you're simply running your own DNS server.

jcalvinowens|2 days ago

It's not necessarily equivalent to a recursive lookup, you can ask a cache for all the answers because you already know the root keys a priori. But yes, it does follow the entire chain of trust, that's the entire point of dnssec: if you don't do that the whole exercise is utterly pointless.

akerl_|2 days ago

Can you link to a distro config that defaults to that?

jcalvinowens|2 days ago

No, it's experimental. But I run it on all my machines, the only time I've had a problem is when it caught a typo in a DS record.