I've downloaded and installed Jitsi 1.0 and have a couple of questions
the user interface panel related to DNSSEC (screenshot attached). I would
like to write a blog post specifically promoting the use of Jitsi and
but I need to understand these questions first:
1. What do you mean with the checkbox "Treat all domain names as
An account could be configured with non-qualified domain name or an FQDN
without the trailing dot. If the OS has one or more primary DNS suffix(es),
then this will be appended and a resolve is tried for each combination.
Actually, that is not directly related to DNSSEC, but if you have the
validation enabled you could receive multiple warnings. Treating all domain
names as absolute avoids that and ensures that for each name only one query
is sent out.
2. When check the box for "Enable DNSSEC resolver", does the app include
own built-in DNSSEC-validating resolver? (I'm assuming it does)
a. Or do you need to provide IP addresses in the "Custom name
servers" box? b. If Jitsi does include it's own DNSSEC validating
resolver, what is the point of the "Custom name servers" box?
Libunbound, the library Jitsi is using, is validating the DNSSEC chain, but
it's not a full resolver. Queries for DNSKEY, DS, etc. are sent to the OS's
resolver, of if configured, to the "Custom name servers".
The option to override the OS's default resolver is there because during
development, the only servers supporting all relevant record types where
from DNSOARC and Verizon.
The choice not to use libunbound as a fully recursive resolver was
performance and that it's for one simply not the job of an application to
perform recursive DNS queries.
3. What is the big box at the bottom of the panel with "Domain" and
"Behavior" for? Does a list get built up as you connect to DNSSEC-signed
domains and you can modify the behavior for each domain? I didn't see
way to add items to that box and so I'm assuming the list gets built by
Yes, the list gets filled as queries are sent through the DNSSEC resolver.
4. I actually have a fourth question I didn't ask the list - does this
DNSSEC validation work with IPv6?
I did not have any access to an IPv6 network when I developed that, but
there shouldn't be any reason that it's not supported.
Any assistance on those questions - or pointers to documentation about the
DNSSEC support, would be greatly appreciated.
Documentation is one of our issues
I have plans for a Wiki in my mind with links on all those config pages, but
it's not ready yet.