Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DNSSEC is not validated #1287

Open
onovy opened this issue Dec 1, 2023 · 1 comment
Open

DNSSEC is not validated #1287

onovy opened this issue Dec 1, 2023 · 1 comment
Labels
🔨 enhancement New feature or request
Milestone
future

Comments

@onovy
Copy link

onovy commented Dec 1, 2023
edited

Hi,

according to README, blocky supports DNSSEC. This is only "half-true". Blocky support RRSIG/etc records, but doesn't validate DNSSEC trust chain at all. It just trust validation done by upstream resolver, which is not secure enough.

Used dns library doesn't do validation per-se (confirmed by author), but it can be added. For inspiration how to do validation correctly, see sdns which uses same dns library.
@kwitsch kwitsch added this to the future milestone Dec 1, 2023
@kwitsch kwitsch added the 🔨 enhancement New feature or request label Dec 1, 2023
@starsoccer
Copy link

Bump on this would love to see support for it

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
🔨 enhancement New feature or request
Projects
None yet
Milestone
future
Development

No branches or pull requests
3 participants
@onovy @starsoccer @kwitsch