0

Discussion topic: Adding DNSSEC support to Sky DNS servers

Reply
Avatar for hgwv
Level 3 icon
What's this?
This message was authored by: hgwv

Message posted on ‎04 Apr 2024 07:46 PM

Adding DNSSEC support to Sky DNS servers

I think it would be good if Sky added DNSSEC support to their DNS servers. DNSSEC is a technology that verifies DNS records have not been modified fraudulently by checking their authenticity.

 

Granted, users can configure their devices to use third-party public DNS servers, since they all support DNSSEC, but it would be nice to see first-party support as well.

 

The DNS query below should fail on a DNSSEC-aware DNS server due to an intentionally broken signature.

 

> Resolve-DnsName sigfail.ippacket.stream -server 8.8.8.8
Resolve-DnsName : sigfail.ippacket.stream : DNS server failure
At line:1 char:1
+ Resolve-DnsName sigfail.ippacket.stream -server 8.8.8.8
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ResourceUnavailable: (sigfail.ippacket.stream:String) [Resolve-DnsName], Win32Exception
    + FullyQualifiedErrorId : RCODE_SERVER_FAILURE,Microsoft.DnsClient.Commands.ResolveDnsName

 

 

> Resolve-DnsName sigfail.ippacket.stream -server 90.207.238.97

Name                           Type   TTL   Section    NameHost
----                           ----   ---   -------    --------
sigfail.ippacket.stream        CNAME  60    Answer     sigfail.rsa2048-sha256.ippacket.stream

Name       : sigfail.rsa2048-sha256.ippacket.stream
QueryType  : AAAA
TTL        : 60
Section    : Answer
IP6Address : 2a01:4f8:13b:2048::113


Name       : sigfail.rsa2048-sha256.ippacket.stream
QueryType  : A
TTL        : 60
Section    : Answer
IP4Address : 195.201.14.36

 

Report post
Post 1 of 15
1,747 Views
0 Likes
Reply
Reply

All Replies

Avatar for jamesn123
Level 16 icon
What's this?
Superuser
This message was authored by: jamesn123

Message posted on ‎11 Apr 2024 10:43 AM

Re: Adding DNSSEC support to Sky DNS servers

Posted by a Superuser, not a Sky employee. Find out more

@hgwv 

I am sure Sky will be looking into doing it at some point. There is no need to post the same thing 3 times in 4 months.

I am NOT a Sky Employee
Myself & Others offer our time to help others, please be respectful.
Report post
Post 2 of 15
1,707 Views
0 Likes
Reply
Avatar for hgwv
Level 3 icon
What's this?
Topic Author
This message was authored by: hgwv

Message posted on ‎11 Apr 2024 10:49 AM

Re: Adding DNSSEC support to Sky DNS servers

@jamesn123 wrote:

@hgwv 

I am sure Sky will be looking into doing it at some point.

 

What are you basing this assumption on?

Report post
Post 3 of 15
1,704 Views
0 Likes
Reply
Avatar for jamesn123
Level 16 icon
What's this?
Superuser
This message was authored by: jamesn123

Message posted on ‎11 Apr 2024 10:59 AM - last edited: ‎11 Apr 2024 10:59 AM

Re: Adding DNSSEC support to Sky DNS servers

Posted by a Superuser, not a Sky employee. Find out more
@hgwv wrote:
@jamesn123 wrote:

@hgwv 

I am sure Sky will be looking into doing it at some point.

 

What are you basing this assumption on?

The fact that DNSSEC is becoming more widely adopted and in the future its very likely to be a normal feature of a DNS server so it would be silly for Sky to not be looking into it. 

I am NOT a Sky Employee
Myself & Others offer our time to help others, please be respectful.
Report post
Post 4 of 15
1,702 Views
0 Likes
Reply
Avatar for hgwv
Level 3 icon
What's this?
Topic Author
This message was authored by: hgwv

Message posted on ‎11 Apr 2024 11:10 AM

Re: Adding DNSSEC support to Sky DNS servers

@jamesn123 wrote:

 

The fact that DNSSEC is becoming more widely adopted and in the future its very likely to be a normal feature of a DNS server so it would be silly for Sky to not be looking into it. 

 

It would be silly, yes. And yet it's 2024, DNSSEC has been around for many years, all the major public DNS resolvers have it enabled it. And yet Sky have not, and haven't even said anything publicly about enabling it, despite the obvious security benefits of validating DNS records.

 

Why do you think that is?

Report post
Post 5 of 15
1,698 Views
0 Likes
Reply
Avatar for jamesn123
Level 16 icon
What's this?
Superuser
This message was authored by: jamesn123

Message posted on ‎11 Apr 2024 11:13 AM

Re: Adding DNSSEC support to Sky DNS servers

Posted by a Superuser, not a Sky employee. Find out more

@hgwv 

Simply compatibility.

Sky want minimal support cost overhead and adding DNSSEC at this stage could cause some devices to not work. It may also break functionality of products like Sky Shield. 

 

I am not aware of many or any major ISPs supporting DNSSEC at this time. Even Zen who are known to be a more specialist ISP dont support DNSSEC afaik. 

I am NOT a Sky Employee
Myself & Others offer our time to help others, please be respectful.
Report post
Post 6 of 15
1,695 Views
0 Likes
Reply
Avatar for hgwv
Level 3 icon
What's this?
Topic Author
This message was authored by: hgwv

Message posted on ‎11 Apr 2024 11:17 AM

Re: Adding DNSSEC support to Sky DNS servers

So based on what you just said, arguing there are potentially valid reasons for not implementing DNSSEC on Sky's resolvers, are you still sure Sky will be looking to implement it at some point?

Report post
Post 7 of 15
1,690 Views
0 Likes
Reply
Avatar for jamesn123
Level 16 icon
What's this?
Superuser
This message was authored by: jamesn123

Message posted on ‎11 Apr 2024 11:20 AM

Re: Adding DNSSEC support to Sky DNS servers

Posted by a Superuser, not a Sky employee. Find out more
@hgwv wrote:

So based on what you just said, arguing there are potentially valid reasons for not implementing DNSSEC on Sky's resolvers, are you still sure Sky will be looking to implement it at some point?

Yes. Which is why I said 'at this stage'. As the technology matures & as Sky do more research and testing on the technology I am sure it will slowly trickle down. I know DNSSEC has been around for 10+ years but its adoption has been slow and it has not been as popular as developments like WiFi 6, WPA3 etc.

I am NOT a Sky Employee
Myself & Others offer our time to help others, please be respectful.
Report post
Post 8 of 15
1,686 Views
0 Likes
Reply
Avatar for hgwv
Level 3 icon
What's this?
Topic Author
This message was authored by: hgwv

Message posted on ‎11 Apr 2024 11:22 AM

Re: Adding DNSSEC support to Sky DNS servers

Do Superusers have any ability to ask Sky staff questions about things such as plans for DNSSEC rollout?

Report post
Post 9 of 15
1,682 Views
0 Likes
Reply
Avatar for jamesn123
Level 16 icon
What's this?
Superuser
This message was authored by: jamesn123

Message posted on ‎11 Apr 2024 11:24 AM

Re: Adding DNSSEC support to Sky DNS servers

Posted by a Superuser, not a Sky employee. Find out more

@hgwv 

We have a private board in which we can propose questions to Sky Staff however we are not guaranteed an answer from them nor are the Staff able to provide insights into everything Sky are doing.

I am NOT a Sky Employee
Myself & Others offer our time to help others, please be respectful.
Report post
Post 10 of 15
1,674 Views
0 Likes
Reply
Avatar for hgwv
Level 3 icon
What's this?
Topic Author
This message was authored by: hgwv

Message posted on ‎11 Apr 2024 11:25 AM

Re: Adding DNSSEC support to Sky DNS servers

Are you willing to post my question to that board?

Report post
Post 11 of 15
1,671 Views
0 Likes
Reply
Avatar for jamesn123
Level 16 icon
What's this?
Superuser
This message was authored by: jamesn123

Message posted on ‎11 Apr 2024 11:27 AM

Re: Adding DNSSEC support to Sky DNS servers

Posted by a Superuser, not a Sky employee. Find out more

@hgwv 

I can certainly try and get an answer for you but like I said it is not guaranteed

I am NOT a Sky Employee
Myself & Others offer our time to help others, please be respectful.
Report post
Post 12 of 15
1,667 Views
0 Likes
Reply
Avatar for hgwv
Level 3 icon
What's this?
Topic Author
This message was authored by: hgwv

Message posted on ‎11 Apr 2024 11:30 AM

Re: Adding DNSSEC support to Sky DNS servers

Appreciated. I also think demonstrating customer demand is another way Sky might take notice. I know it is unlikely Sky staff with any authority over the DNS resolvers will read my posts, but there's a small chance.

Report post
Post 13 of 15
1,662 Views
Reply
Avatar for lettice
Level 16 icon
What's this?
Superuser
This message was authored by: lettice

Message posted on ‎11 Apr 2024 11:56 AM

Re: Adding DNSSEC support to Sky DNS servers

Posted by a Superuser, not a Sky employee. Find out more

Not aware of any isp that have implemented this as you are 'basically' proposing.

It would be a complex task, break a lot of current traffic for the UK based customer via isp and a lot of the backend tools of the ISs would most probably need to be re-engineered. That I feel would be a major task and is probably part of their ongoing product upgrade plan anyway.

There are many ways to avoid such pass throughs and I expect Sky, their partners and other ISPs already have them active on their networks to protect customers.

Sky Community Superuser. What is a Superuser? Click here to find out
Sky Stream with two pucks (Former Sky Q and Sky+ customer), Sky Ultrafast + using Sky SR203 hub. Sky Protect kit tester.
My good journey to Sky Stream from Sky Q. Click here to read
Report post
Post 14 of 15
1,652 Views
0 Likes
Reply
Avatar for hgwv
Level 3 icon
What's this?
Topic Author
This message was authored by: hgwv

Message posted on ‎11 Apr 2024 12:12 PM

Re: Adding DNSSEC support to Sky DNS servers

@lettice  I do not share your pessimism over DNSSEC. All of the public DNS resolvers enabled DNSSEC a long time ago and when using them everything works as before, except that when I resolve domains with DNSSEC enabled I have an assurance the DNS records are genuine.

Report post
Post 15 of 15
1,645 Views
0 Likes
Reply
Reply