Does 1.1.1.1 really run DNSSEC?


#1

I have 1.1.1.1 (and its backup as well as IPv6) loaded into my router. The thing is it is spewing errors:

Insecure DS reply received, do upstream DNS servers support DNSSEC?

Sometimes many times with the same timestamp. Sometimes not for a long while.

Asus RT-AC86U
Merlin 384.6


#2

What domains are you trying to reach?


#3

No way of really telling unless I keep going to random links and tail the syslog. I really do not have time for that.


#4

This is virtually always an issue in the underlying domain’s DNSSEC configuration.


#5

Yet I do not get these errors swapping back to Google or other DNS servers.


#6

Did some reading on the firmware makers forums. Seems cloudFlare is not using full/proper DNSSEC spec.

I wonder how long this will take to get fixed.


#7

Just noticed https://www.aljazeera.com/ is not resolving and the router is throwing the error every time I try.


#8

That domain doesn’t have DNSSEC enabled. It may be your ISP, can you see if it fails by setting router DNS to default or Google and setting your OS’s dns to 1.1.1.1?


#9

@crkinard can you clarify where in that post you see a DNSSEC issue? DNSCrypt is a different technology.

What I’ve seen with these issues in the past is other DNS providers are more lax about validating the DNSSEC, allowing through sites which should rightfully be broken.


#10

I think this might be kresd #359.

aljazeera.com. has said invalid configuration:

aljazeera.com.          300     IN      CNAME   2-01-3b91-0003.cdx.cedexis.net.
2-01-3b91-0003.cdx.cedexis.net. 20 IN   CNAME   www.aljazeera.com.edgekey.net.
www.aljazeera.com.edgekey.net. 21600 IN CNAME   e9106.dscg.akamaiedge.net.
e9106.dscg.akamaiedge.net. 20   IN      A       23.210.132.235

When I Googled that DNSMasq error message, that was the only concrete explanation I found. For all I know, it could happen for lots of other reasons too.

http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2018q3/012392.html

(Relating to a different domain and resolver.)

There’s no issue with kresd’s own, internal DNSSEC validation – as far as I know – but there are issues with its responses that can break validating clients.