"DNSSEC Validated" icon near DNSSEC incorrect domain #3017
Comments
ainar-g
added
bug
needs investigation
|
Yeah, the icon is indeed misleading and we'd better improve it. And not just it, DNSSEC check should be implemented fully and not as it is now: AGH does not perform the validation by itself, it just asks the upstream resolver to do it. The icon indicates the fact that it asked to validate but does not indicate the fact that the validation failed. |
|
Additional suggestions from #4258:
In any case, those indicators could probably be more informative. |
|
I have found out, that the optimistic cache is serving outdated DNSSEC signed responses, which are considered bogus by other DNSSEC validating software like Mozilla Thunderbird DKIM Verifier add-on. Not really a big deal, but can cause troubles for other users. Proposal: add an option to opt DNSSEC-signed domains out from the optimistic cache. |
Probably we should simply automatically exclude signed responses (i.e. that have an |
System Details:
Describe the bug
I use Unbound + Adguard Home
I turned on "Enable DNSSEC" feature in Adguard home
I use www.servfail.sidnlabs.nl and www.dnssec-failed.org domains to check if DNSSEC checks are really working
When DNSSEC checks are turned on in Unbound and Adguard Home:
Expected behavior:
No "DNSSEC Validated" icon near www.servfail.sidnlabs.nl and www.dnssec-failed.org domains in Adguard Home, because Unbound has restricted us from entering these domains with SERVFAIL
Actual behavior:
When DNSSEC checks are turned off in Unbound and turned on in Adguard Home:
Expected behavior:
Domains www.servfail.sidnlabs.nl and www.dnssec-failed.org are inaccessible (SERVFAIL) and no "DNSSEC Validated" icon near them
Actual behavior:
P.S.
If it's correct behavior of Adguard Home, than "DNSSEC Validated" icon is quite misleading.
The text was updated successfully, but these errors were encountered: