Does the cloudflareD DNS client locally verify DNSSEC?

Question originally being asked on github but without an answer:


> In context of,
> 
> * https://blog.cloudflare.com/welcome-hidden-resolver/
> * https://developers.cloudflare.com/1.1.1.1/other-ways-to-use-1.1.1.1/dns-over-tor
> * https://developers.cloudflare.com/1.1.1.1/encrypted-dns/dns-over-https/dns-over-https-client
> 
> it is not being mentioned if the `cloudflared` DNS resolver is a validating DNS resolver.
> 
> Feature request:
> validate DNSSEC at the end-user's [cloudflare***d***](https://github.com/cloudflare/cloudflared) instance

So Does the cloudflared DNS client locally verify DNSSEC or not?

From skimming the code, it just appears to proxy DNS requests, However, it is better to wait for an answer on the issues.

If you want something that will out of the box then checkout: https://www.dnscrypt.org/

I am not sure, but dnscrypt also does not locally verify DNSSEC yet check:

Why would the local client need to validate DNSSEC, as it’s basically just a proxy. Use a DNSSEC validating resolver, like 1.1.1.1.

1 Like

If it reasonably can be validated locally for better security it should be. Encryption + authentication, similar to TLS for websites.

Similar to OpenPGP end-to-end encrypted and authenticated e-mails. It’s preferable to verify e-mail signatures locally rather than trust the server to do that.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.