[dns-operations] Apple's support on client side DNSSEC validation

Ralf Weber dns at fl1ger.de
Mon Jun 13 06:47:33 UTC 2022


On 13 Jun 2022, at 6:57, Davey Song wrote:
> From recent WWDC22, I learned that iOS 16 and macOS Ventura would support
> client-side DNSSEC validation. If I understand correctly, the client-side
> validation means stub resolver doing validation, right?
That is how I understood and observe it.

> Does the stub resolver also do the full validation along the chain of trust?
Yes I see queries for DNSKEY and DS down from the root for queries that have
DNSSEC enabled.

> Wow, it is a resource consumption process for handsets. Or the stub resolver just send
> a DNS query with DO bit?
It’s not worse then TLS validation and decryption. Todays smartphones have
more then enough power to do this. Of course the query has to be send with
DO otherwise the signatures would not be send. Apple also sets CD so that
they can get records from broken domains that a validating resolver otherwise
would not hand out. All pretty much standard validating stub resolver

> It is appreciated if people from apple on the list can brief us on the
> considerations.
I’m not from Apple, but here are some of the stuff I observed in the video
and from a bit of further testing:
- DNSSEC is not default on, in fact there is no way for the end user to
  turn it on. Only in applications you write you can enable validation for
  outbound URL / network connections requests in your code
- There is no specific error condition for a DNSSEC failure. You just will
  not get the URL/connections. I hope that future version will do more here.
- If you do DNSSEC checking on a domain that is insecure it will succeed,
  which is similar to validating recursive servers

I applaud Apple for doing this and hope that app developers will pick it up.

So long
Ralf Weber

More information about the dns-operations mailing list