🌐 Website Issue | DNSSEC support? #731
Labels
No Label
🔍🤖 Search Engines
approved
dependencies
duplicate
feedback wanted
high priority
I2P
iOS
low priority
OS
Self-contained networks
Social media
stale
streaming
todo
Tor
WIP
wontfix
XMPP
[m]
₿ cryptocurrency
ℹ️ help wanted
↔️ file sharing
⚙️ web extensions
✨ enhancement
❌ software removal
💬 discussion
🤖 Android
🐛 bug
💢 conflicting
📝 correction
🆘 critical
📧 email
🔒 file encryption
📁 file storage
🦊 Firefox
💻 hardware
🌐 hosting
🏠 housekeeping
🔐 password managers
🧰 productivity tools
🔎 research required
🌐 Social News Aggregators
🆕 software suggestion
👥 team chat
🔒 VPN
🌐 website issue
🚫 Windows
👁️ browsers
🖊️ digital notebooks
🗄️ DNS
🗨️ instant messaging (im)
🇦🇶 translations
No Milestone
No Assignees
1 Participants
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: privacyguides/privacytools.io#731
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Description
Why DNSSEC isn't enabled on privacytools.io?
@privacytoolsIO
Sites hosted on GitHub Pages does not support DNSSEC (yet). I received this in November after asking them directly:
Privacytools.io is using Cloudflare for DNS and as a reverse proxy, so GitHub pages not supporting DNSSEC doesn't prevent it. I think there are many pages with similar setup without issues, for example mine (DNSSEC Analyzer link) which until recently had a similar setup, currently I am only using Cloudflare for www.
Of course GitHub pages not supporting DNSSEC would leave Cloudflare's DNS servers vulnerable to cache poisoning while flattening the CNAME, but I don't think that is too different from the case with Cloudflare as reverse proxy as we cannot know what SSL options privacytools.io is using, is GitHub pages contacted over http, https (invalid certificate accepted) or https (valid certificate required).
@Mikaela Oh, I did not know about the setup with using it as a reverse proxy and I'm somewhat confused over GitHub's support pages regarding this, resulting in my correspondence with them.
From my experience with Github using the "regular" setup for DNS with a apex and subdomain with the CNAME my site fails in DNSSEC validation when it gets to the github.io in the io zone. I see that this is a somewhat different case than for privacytools, so perhaps this could be easily resolved :)
Edit: I changed my setup to using apex domain and A records at my registrar instead of using www and CNAME and now it works with DNSSEC as intended. Thanks for the clarifying comments! Then this site should be able to activate it to.. ;)
I don't know what was your original message to GitHub support, but from their response I think they were talking about GitHub pages without custom domain,
<username>.github.io
, but that should fix your issue.(Sorry if I am not making much sense, I am multitasking.)
Is this correct now? Thanks for your help, guys.
Thank you 💜
However this may have slowed migrating out of Cloudflare, unless you can find more information on DNS transitioning DNSSEC-signed domains than I did. See https://github.com/privacytoolsIO/privacytools.io/issues/374#issuecomment-476564807 for my experience on Cloudflare -> Gandi.net