<div dir="ltr"><div dir="ltr">On Sat, Oct 22, 2022 at 3:20 PM Sandro <<a href="mailto:lists@penguinpee.nl">lists@penguinpee.nl</a>> wrote:</div><div dir="ltr">[snip]</div><div class="gmail_quote"><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Doing favors for the better good does not seem to be in their <br>
dictionary. Look at DNSSEC.<br>
</blockquote><div><br></div><div>Do you mean signing their domains or their public resolver services?</div><div><br></div><div><a href="https://developers.google.com/speed/public-dns/faq">https://developers.google.com/speed/public-dns/faq</a> </div><div><h3 id="gmail-dnssec" role="presentation" style="box-sizing:inherit;overflow:hidden;text-overflow:ellipsis;color:rgb(32,33,36)"><span class="gmail-devsite-heading" role="heading" style="box-sizing:inherit">Does Google Public DNS support the DNSSEC protocol?</span><button type="button" class="gmail-devsite-heading-link gmail-button-flat gmail-material-icons" aria-label="Copy link to this section: Does Google Public DNS support the DNSSEC protocol?" style="background-image:initial;background-position:0px 50%;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;border-width:0px;border-style:initial;border-color:initial;font-style:normal;font-weight:normal;font-size:24px;font-family:"Material Icons";height:24px;line-height:1;min-width:36px;outline:0px;overflow:hidden;padding:0px 8px;text-overflow:ellipsis;vertical-align:middle;white-space:nowrap;direction:ltr;font-feature-settings:"liga";opacity:0"></button></h3><p style="box-sizing:inherit;margin:16px 0px;padding:0px;color:rgb(32,33,36);font-family:Roboto,"Noto Sans","Noto Sans JP","Noto Sans KR","Noto Naskh Arabic","Noto Sans Thai","Noto Sans Hebrew","Noto Sans Bengali",sans-serif;font-size:16px">Google Public DNS is a validating, security-aware resolver. All responses from DNSSEC signed zones are validated unless clients explicitly set the CD flag in DNS requests to disable the validation.</p></div><div><br></div><div><a href="https://developers.cloudflare.com/1.1.1.1/faq/#how-does-1111-work-with-dnssec">https://developers.cloudflare.com/1.1.1.1/faq/#how-does-1111-work-with-dnssec</a></div><div><h2 id="gmail-how-does-1111-work-with-dnssec" style="box-sizing:inherit;margin:1.55em 0px 0.5em;line-height:1.25;font-size:1.6666em"><span style="box-sizing:inherit;margin:0px">How does 1.1.1.1 work with DNSSEC?</span></h2><p style="box-sizing:inherit;margin:0px 0px 1em;max-width:100%">1.1.1.1 is a DNSSEC validating resolver. 1.1.1.1 sends the <code style="box-sizing:inherit;margin:0px;border-radius:0.25em;max-width:100%">DO</code> (<code style="box-sizing:inherit;margin:0px;border-radius:0.25em;max-width:100%">DNSSEC OK</code>) bit on every query to convey to the authoritative server that it wishes to receive signed answers if available. 1.1.1.1 supports the signature algorithms specified in <a href="https://developers.cloudflare.com/1.1.1.1/encryption/dnskey/" class="gmail-DocsMarkdown--link" style="box-sizing:inherit;margin:0px;text-decoration-line:none;color:inherit"><span class="gmail-DocsMarkdown--link-content" style="box-sizing:inherit;margin:0px">Supported DNSKEY signature algorithms</span></a>.</p></div></div></div>