DNSSEC
-
Any chance we can have DNSSEC working for the Vivaldi sites ?
Cloudflare, Quad9 and Google DNS all give users DNSSEC but it relies on sites also using it properly.
Cloudflare rolled it in as standard so there really is no reason anymore to not add some MITM protection.
https://dnssec-analyzer.verisignlabs.com/www.vivaldi.net
https://dnssec-name-and-shame.com/domain/www.vivaldi.nethttps://dnssec-analyzer.verisignlabs.com/www.vivaldi.com
I brought up this issue in a small privately owned Unreal forum that is using cloudflare last week, and within a week we have full authenticating DNSSEC.
Is something broken maybe ?
-
This isn't a browser feature (though something related could be), this is something for domain hosting, such as these forums (hence this section).
I actually have previously asked for Vivaldi browser to show DNSSEC info and errors, but as it is vote based, it only got minor up-voting, because most users don't understand or care about security.
I can ask again, but this is another matter, more a "site bug".When it comes to site security things like this shouldn't be voted on by site users, they just need to be done if possible (and it is).
Cloudflare have given everyone the ability to use it because they realise how important it is.
ICANN are now campaigning to get people to sort out their domains and DNS.
Users (most) don't care or know what all this means.
This is a topic for management meetings, not a forum.
https://www.icann.org/news/announcement-2019-02-22-en
ICANN Calls for Full DNSSEC Deployment, Promotes Community Collaboration to Protect the Internet
Vivaldi is half way there, it just needs a little more configuration and the vivaldi domains (inc email) can offer some protection from man-in-the-middle interference.On behalf of the authors of DNSSEC, ICANN, and Cloudflare, I am asking, please can we finally enable this standard security feature ?
...and perhaps move this thread to "Forum Issues". I now realise it would have been better there. -
Bumping this as it was also bugging me for some time, because of
mimir.vivaldi.comandbitfrost.vivaldi.com(translation and sync server).
systemd-resolvedoften hangs and times out if DNSSEC validation fails (the case with mimir & bitfrost) in combination with using DNS over TLS or not (don't remember it right now, latest bug report I had bookmarked was this https://github.com/systemd/systemd/issues/9867). Of course this isn't Vivaldi's problem but it would be nice to have, or there are other reasons of importance that I'm unaware of.Maybe pinging @thomasp ?
-
-
Since you asked so nicely
I can confirm that DNSSEC has now been enabled for both the
vivaldi.comandvivaldi.netdomains. -
@thomasp woooooooot?
Unbelievable !
(I'll check it ofc...
)
/edit:
check ok, both reporting [T]
THANKS !
-
Woohoo !
Vivaldi gets the thumbs up from Anne Marie, and now ranks among the few that gave a damn about authentication.
https://dnssec-name-and-shame.com/domain/www.vivaldi.com
both com and net are showing as all green
However doing a further test with https://dnsviz.net/d/www.vivaldi.com/analyze/ shows 3 warnings with 1 common issue.
"The server appears to support DNS cookies but did not return a COOKIE option"It doesn't look like that is much of an issue, but one of the most important Vivaldi domains that needs authenticity is still not configured properly, and gets a thumbs down from Anne Marie.
https://dnssec-name-and-shame.com/domain/downloads.vivaldi.com
https://dnssec-analyzer.verisignlabs.com/downloads.vivaldi.com
Thanks for finally getting round to dealing with this.
I feel an extra amount of pride as well as faith using Vivaldi services. -
I hope we don't have to wait another 3 years for DNSSEC to be used on the downloads domain.
* 
