It makes sense, thank you for the feature request!

I came here to make this same request.

To test if DNSSEC is enabled opening sigfail.verteiltesysteme.net you should get an error. If you test sigok.verteilesysteme.net you should see a blank page.

Unfortunately, another DNSSEC resolver test fails so far.

Not yet, guys. I am sorry for the delays, we're a bit limited in resources, and I'd like not to switch to DNS tasks until we can really focus on them.

No worries! Just figuring, since DNSCrypt got done, perhaps this got some love as well. Keep on 🚚ing! 📣

Any update on this?

@evilvibes we don't want to touch the current installation until the updated version is ready. That's why this issue is still open.

So, does that mean there's ß version someplace? Will it be accessible to play with test sometime?

So, does that mean there's ß version someplace? Will it be accessible to play with test sometime?

I'd say it's more of a "demo" at the moment. The old code was tossed out, and the new version is basically a patched Unbound DNS server. Not yet available publicly.

Yes. Will wait for DNSSEC support. Most important thing in modern Russia.

Hi there, any news about dnssec?

and do you think hheres a opinion do start a server in central europe example frankfurt or zurich?

greets

Central Europe Server would be great, yes 👍

jupp, would be great, so my route don't have to go over the half of the world as i wrote months ago ^^

Any updates on this issue? DNSSEC is very important and has been receiving increased attention lately, including as a part of Cloudflare's Crypto Week 2018 (https://blog.cloudflare.com/automatically-provision-and-maintain-dnssec/).

I was planning to open also a DNSSEC Request but since there is already one, one more who wishes this option

We'll prioritize this issue, guys, thank you!

news? i looks as the way i'm running AGH dnssec looks like running

Do you have any news ? it's a big feature now for a DNS server. Thanks !

No news on this yet, sorry

How far are you from implement this?
Is the only thing keeping me in pihole, together with https://github.com/AdguardTeam/AdGuardHome/issues/922 and a few other things of milestone 0.101

Just to keep in mind: it should be possible to mark some domains and zones as "unsecure", not to try verification at all.

ьолшо сьасибо 👍

Recently, I enabled the dnsmasq's DNSSEC on my openwrt router and it works as a dns proxy just working the same as the normal router, AGH on my laptop. I set to use AGH as local dns and CF (DoT) as upstream. However, when dnsmasq's DNSSEC enabled, the AGH failed to dispatch any valid DNS response. According to the verbose log of AGH, it seems that AGH just got connection error from upstream and then returned error(But I'm not so sure about that, my internet connectivity is working properly). I tried to switch off the dnsmasq's DNSSEC, AGH works properly.

Any suggestion?

@kmahyyg have you tried checking what exactly dnsmasq returns for these queries?

Yes, I tried. works perfectly.

Send from Evangeline's Android

From: Andrey Meshkov notifications@github.com
Sent: Monday, April 13, 2020 9:16:41 PM
To: AdguardTeam/AdGuardHome AdGuardHome@noreply.github.com
Cc: Patrick Young kmahyygyyg@gmail.com; Mention mention@noreply.github.com
Subject: Re: [AdguardTeam/AdGuardHome] Add DNSSEC support (#66)

@kmahyyghttps://github.com/kmahyyg have you tried checking what exactly dnsmasq returns for these queries?

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com/AdguardTeam/AdGuardHome/issues/66#issuecomment-612893513, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AD6V3Y43LGAXCKHXZFSUD3LRMMGDTANCNFSM4CTGHHYA.

Weird, what kind of connection error does AGH receives?

Weird, what kind of connection error does AGH receives?

I don't know. I turned on verbose , all logging seems perfect, just get response from upstream as NORESPONSE FROM UPSTREAM. Then dns request timed out. but those domains really exists. I tried to use kdig and set the upstream correctly, the domain is exists.

After I turned off DNSSEC on my router, all things get working. BTW, I'm in china mainland, which has serious network censorship.

Could you please post a part of the log with these requests and responses? Maybe I'll notice something there

Could you please post a part of the log with these requests and responses? Maybe I'll notice something there

logfile-20200416-2.log

Here's the full log after I enabled DNSSEC on my router. Since I've configured the upstream as log shown, it shouldn't be failed to response.

1579 might be related to this issue.

At the same time when AGH failed,

@kmahyyg Can you disable SafeBrowsing ?
In your logs I only see SafeBrowsing: checking... but no sign of the results of SB check. That's very strange considering 3sec timeout for those operations.
Looks like a global dead lock to me: no goroutine has woken up from SB check.

@kmahyyg Can you disable SafeBrowsing ?
In your logs I only see SafeBrowsing: checking... but no sign of the results of SB check. That's very strange considering 3sec timeout for those operations.
Looks like a global dead lock to me: no goroutine has woken up from SB check.

I will try later... But I think dnssec shouldn't have affiliate with SB?

@szolin

Here's why it happens:

2020/04/16 10:40:18 17356#55 [debug] github.com/AdguardTeam/dnsproxy/upstream.lookup(): successfully finished lookup for dns-family.adguard.com in 59 milliseconds using 176.103.130.131. Result : []
2020/04/16 10:40:18 17356#54 [debug] github.com/AdguardTeam/dnsproxy/upstream.lookup(): successfully finished lookup for dns-family.adguard.com in 78 milliseconds using 176.103.130.130. Result : []

@kmahyyg
Could it be that your router intercepts plain DNS queries and does some additional filtering? Because it seems that when DNSSEC is enabled, we cannot resolve dns-family.adguard.com address (empty "Result: []" in the log)

@szolin

Here's why it happens:

2020/04/16 10:40:18 17356#55 [debug] github.com/AdguardTeam/dnsproxy/upstream.lookup(): successfully finished lookup for dns-family.adguard.com in 59 milliseconds using 176.103.130.131. Result : []
2020/04/16 10:40:18 17356#54 [debug] github.com/AdguardTeam/dnsproxy/upstream.lookup(): successfully finished lookup for dns-family.adguard.com in 78 milliseconds using 176.103.130.130. Result : []

@kmahyyg
Could it be that your router intercepts plain DNS queries and does some additional filtering? Because it seems that when DNSSEC is enabled, we cannot resolve dns-family.adguard.com address (empty "Result: []" in the log)

pretty weird......

Okay, I see the problem. The last photo is DNSSEC disabled.

This is enabled. Problem is SERVFAIL. But even so, this should not happen. Why does DNSSEC use my router's DNS instead of using the upstream DNSs I specified in the AGH setting?

Why does DNSSEC use my router's DNS instead of using the upstream DNSs I specified in the AGH setting?

We use it just one time - when we resolve dns-family.adguard.com address for the first time.

Why does DNSSEC use my router's DNS instead of using the upstream DNSs I specified in the AGH setting?

We use it just one time - when we resolve dns-family.adguard.com address for the first time.

maybe thats the problem... theres a circle

look (example):

routerdns (dnsmasq) 127.0.0.1:53 forwards to AGH on 127.0.0.1:55

AGH ask router onfirst time „hey whats dns-family.adguard...“. router ask back... we‘ve got a circle

possible solution is, if AGH do allways the first request to quad9 or $upstreamresolvers

AGH ask router onfirst time „hey whats dns-family.adguard...“

Are you sure? Can you show the packets AGH sends to your router?
AGH uses these 2 IP addresses "176.103.130.130", "176.103.130.131" to resolve dns-family.adguard.com.

@szolin I suppose that the router may be intercepting plain DNS queries.

I suppose that the router may be intercepting plain DNS queries.

In this case there's nothing wrong with AGH - it's this particular router's configuration problem.

In this case there's nothing wrong with AGH - it's this particular router's configuration problem.

Sure, but we shouldn't be stuck in the case when we cannot resolve that address, the safe browsing check should simply quickly fail

1612