From Fedora Project Wiki

Revision as of 12:16, 6 January 2016 by Pspacek (talk | contribs) (initial write-up)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Overview of DNSSEC support in operating systems

Date: 2016-01-06

Windows

Windows clients as shipped by Microsoft cannot do DNSSEC validation locally. DNSSEC validation can be explicitly enabled for certain sub-domains in “Name Resolution Policy Table“ but all clients depend on remote servers for validation. This policy can be centrally managed using Group Policies.

This can be secure only if the remote server is always reachable over IPSec tunnel. Windows clients have means to enforce that:


Personally I believe that this is unworkable when Captive portals are in play but might be good enough for data centres.

System-level validation and captive portal handling can be enforced using the same manual configuration of Unbound+dnssec trigger as in current Linux distributions.

OS X & iOS

Neither OS X nor iOS do DNSSEC validation by default, but has some low-level APIs provided by mDNSResponder which can be used by applications to request DNSSEC validation.

Source:

Validation is not done by default and I was not able to find any system-level configuration for mDNSResponder.

System-level validation and captive portal handling can be enforced using the same manual configuration of Unbound+dnssec trigger as in current Linux distributions.

Sources:

Android

I was not able any mention about DNSSEC on developer.android.com. There is community attempt to port Unbound + functionality of dnssec-trigger to Android:

Summary

  • None of studied systems (Windows clients, Android, iOS & OS X) do DNSSEC validation by default. Support for DNSSEC, if present, is well hidden from users and buried in low-level APIs.
  • No automatic workarounds for broken or misconfigured networks are available. This effectively means that ~ 60 % of clients would not be able to do DNSSEC validation reliably:

Author: Pspacek (talk) 12:16, 6 January 2016 (UTC)