DNSSEC is not validated

Hi,

according to README, blocky supports DNSSEC. This is only "half-true". Blocky support RRSIG/etc records, but doesn't validate DNSSEC trust chain at all. It just trust validation done by upstream resolver, which is not secure enough.

Used [dns library](https://github.com/miekg/dns ) doesn't do validation per-se ([confirmed by author](https://github.com/miekg/dns/issues/1251#issuecomment-808855833)), but it can be added. For inspiration how to do validation correctly, see [sdns](https://github.com/semihalev/sdns) which uses same dns library.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

DNSSEC is not validated #1287

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Uh oh!

DNSSEC is not validated #1287

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions