I’m learning about DNSSEC today but I don’t quite understand about how a parent zone would store all of its child’s Key Signing Keys (DNSKEY 257) in its DS record set.
As far as I understand, if I have a subdomain, say, subdomain.icann.org… Continue reading Since the DS recordset contains all of the child’s Key Signing Key, wouldn’t the DS recordset be massive and difficult to load for verification?→
Consider the following dig command and its truncated output:
dig . dnskey +dnssec +multi @a.root-servers.net
;; ANSWER SECTION:
. 172800 IN DNSKEY 257 3 8 (
AwEAAaz/tAm8yTn4Mfeh… Continue reading How can I validate the root DNS key-signing-key on the command line?→
When a Windows computer wants to resolve a domain name, it offloads the request to a DNS resolver and tells the resolver that it wants to resolve with DNSSEC (by setting the ‘DO’ bit in the query). The DNS resolver will use DNSSEC and will… Continue reading DNSSEC Client Validation – The Last Mile in DNSSEC→
I am reading up on secure DNS (DoH, DoT) and trying to identify its differences. Currently, I am on https://www.cloudflare.com/learning/dns/dns-over-tls/ page.
Is there for example some non-negligible performance hit between those two?
I… Continue reading Secure DNS (DoH, DoT) differences, performance, comparison→
I set up OpenWRT on my Belkin RT3200 and I want to have quad9 encrypted DNS with dnssec and Secure SNI, but I could not figure out how to set up DNScrypt correctly on my router and I’m not sure if that’s the best method.
I’d like to avoid … Continue reading How to set up DNS encryption on my home router? [migrated]→
I’m trying to implement a toy project DNSSEC supported DNS resolver to learn about both DNS and DNSSEC.
Most of my implementation are finished. But for some domains it’s not working correctly, and I noticed some differences when comparing … Continue reading How to properly handle DNSKEY delegation across DNS zones?→
I tried dig +dnssec dig [domain name] +dnssec +short. Is RRSIG the only attribute to confirm if a name server has DNSSEC implemented or not? How do I identify a name server that has no DNSSEC implemented?
Also, what tools can I use to test… Continue reading How to identify a name server that does not have DNSSEC implemented?→
I use dnscrypt-proxy’s anonymized DNScrypt with multiple relays, force it all to use TCP, route them over Tor.
does this prevent my ISP or anyone in my country to see my DNS queries and client hellos when connecting to websites and servers… Continue reading Is Anonymized DNSCrypt over Tor a better alternative to having Doh+ECH?→
First, I can update this with the affected domain, if it’s critical, but for obvious reasons I’d like not to be the target of more problems.
Someone registered some CAA records for my domain.
I have full control of all related accounts: Re… Continue reading Someone issued fake CAA records for my domain. What is the most important thing to do to resolve it?→
I am building an application in ASP.NET core MVC which allow users to enter a domain name and click submit >> then the application should check if DNSSEC is setup for a domain >> update the database accordingly.
So is there a …. Continue reading Power Shell or .Net library to check if DNSSEC is setup for a domain [closed]→