How to set up DNSSEC with DNS.WATCH

Hi,

I’m trying to setup up DNS.WATCH with DNSSEC for use by Foris by copying and modifying /etc/resolver/dns_servers/00_odvr-cznic.conf to 99_dns_watch.conf. I have changed all the values to those of DNS.WATCH, except I don’t know what to enter for ca_file. Can anyone tell me what to enter there? Thanks.

from a look at their web presence it does not appear that DoT is supported, or is it?

At the bottom of their home page it says:

84.200.69.80
resolver1.dns.watch
No Logging, DNSSEC enabled
84.200.70.40
resolver2.dns.watch
No Logging, DNSSEC enabled

They just don’t give instructions on how to use it unfortunately.

These addresses do not listen on port 853 (from my site at least), so apparently they don’t support DNS-over-TLS and thus the certificate question is completely irrelevant.

1 Like

Without TLS (privacy) you can copy&modify the config from 99_google.conf

They do, just DNSSEC (domain security) does not require a certificate whilst TLS connectivity (DoT) for transport security does.

Probably neither on port 443 which some providers support though.

@vcunat, n8v8r: Thanks for the information, I was under the mistaken impression that DNSSEC implied TLS, my bad. I will search further.

These two solve two aspects that are mostly orthogonal.