[ADH] What does mean and does "Enable DNSSEC" at DNS settings ?

[matikken]

HI
In AdGuard Home there is an option:
Enable DNSSEC (set dnssec flag at outcoming queires, and check the results, dnssec enabled resolver is required).

Unfortunatelly i cant find any information what devs had in mind writing this.
ADH is proxy DNS server, so what "flag" they are talking about ? They mean DO or CD flag ? or what? Nothing makes sense with what they wrote . What "check"? This whole statement is confusing and not precise.

Generally DNSSEC-enabled at least in Bind means that such server should work as dns recursive resolver (not proxy) with activated DNSSEC validation (thats means he has to manage his own trust anchor etc) and it set "do" flag at every query.
What does it means at ADH case ?

[matikken]

nobody ?

[Disqu3-mirOir-qt]

https://en.m.wikipedia.org/wiki/Domain_Name_System_Security_Extensions

[matikken]

??? Please read carefully the topic. This dont answer the question.

[shruuub]

Basically, the upstream needs to support DNSSEC in the first place. Now, when it does support it, but DNSSEC isn't enabled, it simply ignores the validation, but if it's enabled it recognizes the validation and also caches it locally for a while.

At least that's what I understand, contracdict me if I'm wrong.

[andekande]

Enabling this, makes sure the request does NOT have the CD bit set and that the responses AD bit (from upstream) is evaluated in AGH, eg. to decide whether to cache the response and to show you the trustworthiness on the UI.

So it tells the resolver to validate its finding and include it in its answer to AGH. Since that validation requires cryptographic processing by the resolver you can turn it off, to gain some milliseconds from a not validated (aka potentially spoofed) response.

You can have it enabled even when the upstream does not support it. The name will be resolved anyways. If the upstream supports it you'll get a green shield icon in the Query Log (based on the AD bit being set):

Sources:
#4942
https://www.freesoft.org/CIE/RFC/2065/40.htm

[matikken]

thx for trying, but you claim what flag is NOT set (CD) but you also dont directly tell what flag IS set in AGH. I again quote original AGH description 'set dnssec flag at outcoming queires" . You focus more on answer flags where "AD" plays its role. However i guess in your version if its not "CD" then it have to be "DO" flag. ADH sending "DO" flag tells dnssec validating resolver to send back reply BUT with "AD" flag because client (AGH) advertised that it is dnssec aware. On the other hand it could also be "CD" flag where AGH want to be validating resolver itself (as "enable dnssec" generally means), and you get the same results as on your the screen.

Im leaning more towards "do" flag, but its still not certain. I strongly recommend to AGH developers to put clear description and just add documentation.