DNSSEC incelemeleri
DNSSEC geliştiren: Antoine POPINEAU
Antoine POPINEAU adlı kullanıcının yanıtı
Geliştiricinin yanıtı
gönderilme: 6 yıl önceFirstly, we do not use unencrypted connections, everything is done through HTTPS.
Then, the developers of the former DNSSEC-Validator said themselves they would not port their extension because of missing APIs in Firefox 57+. As mentionned in another comment, as far as we know, there is no way of crafting and executing a raw UDP or TCP packet in Firefox 57+. We are therefore forced to use HTTPS to perform all DNS queries through HTTP resolvers.
That being said, I agree using Google by default is not a good choice, and a choice that was made as a proof of concept. I am in the process of forking OpenDNS HTTP resolver to support reporting DNSSEC status, so you can self-host your resolver and use it with this extension instead of Google's.
But that self-hosted resolver will always be an option. The extension has to work on first run, for non-technical people, and must use a publicly-hosted HTTP-based DNS resolver. If you have any service that does that outside Google, I'll be happy to integrate it.
Then, the developers of the former DNSSEC-Validator said themselves they would not port their extension because of missing APIs in Firefox 57+. As mentionned in another comment, as far as we know, there is no way of crafting and executing a raw UDP or TCP packet in Firefox 57+. We are therefore forced to use HTTPS to perform all DNS queries through HTTP resolvers.
That being said, I agree using Google by default is not a good choice, and a choice that was made as a proof of concept. I am in the process of forking OpenDNS HTTP resolver to support reporting DNSSEC status, so you can self-host your resolver and use it with this extension instead of Google's.
But that self-hosted resolver will always be an option. The extension has to work on first run, for non-technical people, and must use a publicly-hosted HTTP-based DNS resolver. If you have any service that does that outside Google, I'll be happy to integrate it.
37 inceleme
- 5 üzerinden 3 puanyazan: Firefox kullanıcısı 18361289, 2 ay önceCan hopefully be made even better with https://bugzilla.mozilla.org/show_bug.cgi?id=1852752
- 5 üzerinden 1 puanyazan: PSYCHOPATHiO, 3 ay öncethis is only a choice of 1.1.1.1 or 8.8.8.8 that i can manually enter in settings, poitless i guess
- 5 üzerinden 2 puanyazan: Popi, 10 ay önceUnfortunately we never got to choose the resolver, and now it just stopped providing accurate results altogether.
- 5 üzerinden 5 puanyazan: Firefox kullanıcısı 7035052, 2 yıl önceWow! A DNSSEC extension that works! And no extra steps to install either.
- 5 üzerinden 2 puanyazan: CognitiveFeline, 2 yıl önceused to display info and change but now it just always stays at NOPE doubt it's nope and 99% sure it's not me causing it.
- 5 üzerinden 1 puanyazan: ploedman, 2 yıl önceRecently the Addon shows my Domain as "not secure by DNSSEC". But 3 Website to test the DNSSEC status says the Domain is secured by DNSSEC.
- 5 üzerinden 2 puanyazan: MarSanMar, 2 yıl önceActualmente, esta extensión no funciona. La usé mucho tiempo y estaba contento con su funcionamiento, pero ahora mismo he tenido que buscar una alternativa.
- 5 üzerinden 5 puanyazan: Jernej, 3 yıl önce
- 5 üzerinden 1 puanyazan: Firefox kullanıcısı 13662450, 3 yıl önceNo longer works. Was good in the past, but these days say 100% of websites are not secured by DNSSEC, which is outright wrong.
- 5 üzerinden 4 puanyazan: Trashify, 4 yıl önce
- 5 üzerinden 5 puanyazan: Asclepius, 4 yıl önceThank you for this add-on. I just hope (since it isn't a "recommended" extension) that it is trustworthy. Aside from that concern, it serves its purpose. It would be nice if Firefox had built-in DNSSEC validation.
- 5 üzerinden 5 puanyazan: Boris Volkov, 4 yıl önce
- 5 üzerinden 4 puanyazan: Firefox kullanıcısı 15136226, 4 yıl önceThis add on works well, however there are some issues as pointed out by other reviewers. I would like to note that ECDSAP256SHA256 works for me. It would also be nice if the add on verified https sites with DANE pinned certificates.
- 5 üzerinden 4 puanyazan: Firefox kullanıcısı 14672905, 5 yıl önceIt's great! And yes, would be even better once we have custom DNS, over TLS or not.
But this is a feature I have been waiting for so long, so I'm not going to hide my current feeling about this extension, it's awesome!! - 5 üzerinden 3 puanyazan: Firefox kullanıcısı 13680056, 5 yıl önceIt will be nice to choose a custom DNSSec, I don't trust on google, and some ISP redirect the 1.1.1.1 to his own DNS.
- 5 üzerinden 5 puanyazan: Firefox kullanıcısı 15299958, 5 yıl önce
- 5 üzerinden 1 puanyazan: Renaud, 5 yıl önceUsing Cloudflare and Google for validation is not a good idea.
But also, validation fails for some kind of signatures, exemple: those using ECDSAP256SHA256. - 5 üzerinden 5 puanyazan: Firefox kullanıcısı 14754691, 5 yıl önce
- 5 üzerinden 2 puanyazan: Firefox kullanıcısı 14514156, 5 yıl önceI would give at least 4 stars, if it would use my local resolver instead of using google/cloudflare for DNS lookups.
Reason behind the downgrade:
1. it introduces a single point of failure:
if either of those sites can't answer, _ALL_ users of this extension (who have configured that site) can't use it, if it would use the local resolver and that failed it would be just the users of the local machine who experience that problem.
2. it is a privacy hazard:
a hacker needs to crack only a single (ok: two) machine(s) to get a complete log of who on this world tried to communicate with which web server....
if it would use the local configured resolver that _might_ still be a problem, depending on the configuration of said resolver, but mostly (I hope) those will contact multiple authoritative servers to walk from the root to the leaf containing the desired information and only the _last_ server will know which site I wanted to contact, but there it's irrelevant, since _that_ site knows it anyway.... (btw.: _THIS_ is the reason why I disabled this extension)
3. it can't verify local domains
according to 'dig' my own domains are DNSSEC enabled and working correctly, still your extension reports them as unsigned because there is no global glue record, as such while it is reachable from the world (via dyndns), the world doesn't see the DNSSEC information stored on my local dns-server. - 5 üzerinden 2 puanyazan: IPv777, 5 yıl öncePlease let the user choose (a text input) his own DNS resolver(s)
- 5 üzerinden 5 puanyazan: Firefox kullanıcısı 13310694, 6 yıl önce
- 5 üzerinden 5 puanyazan: YFdyh000, 6 yıl önce
- 5 üzerinden 1 puanyazan: Firefox kullanıcısı 12553117, 6 yıl önceGood PoC, but -4 (would rate 0 if it was possible) for crap called CF and Google.