dnsproxy icon indicating copy to clipboard operation
dnsproxy copied to clipboard
verified publisher icon AdguardTeam

Add DNSSEC validation option

Open ameshkov opened this issue 7 years ago • 10 comments

ameshkov avatar Jan 25 '19 19:01 ameshkov

any plans for Encrypted SNI also ?

uBlock-user avatar Feb 06 '19 15:02 uBlock-user

As a part of DOH implementation? Not until it is a part of Go language.

ameshkov avatar Feb 06 '19 15:02 ameshkov

Yes, does it have to server-sided or will having it on the client will do ?

uBlock-user avatar Feb 06 '19 15:02 uBlock-user

It needs to be supported by both the client and the server. I think it's going to take years before ESNI is widely adopted considering that this is just a draft at the moment, and there is still some controversy about it.

ameshkov avatar Feb 06 '19 15:02 ameshkov

Firefox and Cloudflare already support it, so I hope to see it land in Chromium real soon as a feature request bug was opened back in October.

uBlock-user avatar Feb 06 '19 15:02 uBlock-user

Well, yeah, and that's why I say years, otherwise I would've said "never" :)

ameshkov avatar Feb 06 '19 16:02 ameshkov

Can you estimate, when DNSSEC support will be available? At the moment, I can only see, that it seems work in progress since January...

dodmi avatar Nov 10 '19 08:11 dodmi

No estimates yet. DNSSEC requires implementing a full-scale DNS recursor in go first.

ameshkov avatar Nov 13 '19 10:11 ameshkov

Hmm, nope. Dnsmasq is not full scale recursor and has dnssec validation. But it needs to do its own queries dependent on other queries. Not a simple feature. But please allow DNSSEC Pass through, meaning DO enabled query get DO enabled response, if upstream forwarders can provide it.

pemensik avatar Nov 13 '23 16:11 pemensik