[jitsi-dev] Where can I get more information about the DNSSEC features of Jitsi 1.0?


#1

Greetings,

I've downloaded and installed Jitsi 1.0 and have a couple of questions about the user interface panel related to DNSSEC (screenshot attached). I would like to write a blog post specifically promoting the use of Jitsi and DNSSEC, but I need to understand these questions first:

1. What do you mean with the checkbox "Treat all domain names as absolute"?

2. When check the box for "Enable DNSSEC resolver", does the app include it's own built-in DNSSEC-validating resolver? (I'm assuming it does)
     a. Or do you need to provide IP addresses in the "Custom name servers" box?
     b. If Jitsi does include it's own DNSSEC validating resolver, what is the point of the "Custom name servers" box?

3. What is the big box at the bottom of the panel with "Domain" and "Behavior" for? Does a list get built up as you connect to DNSSEC-signed domains and you can modify the behavior for each domain? I didn't see any way to add items to that box and so I'm assuming the list gets built by the Jitsi app.

Any assistance on those questions - or pointers to documentation about the DNSSEC support, would be greatly appreciated.

Thanks,
Dan

···

--
Dan York
Senior Content Strategist, Internet Society
york@isoc.org +1-802-735-1624
Jabber: york@jabber.isoc.org
Skype: danyork http://twitter.com/danyork

http://www.internetsociety.org/deploy360/


#2

Hey Dan

I've downloaded and installed Jitsi 1.0 and have a couple of questions

about

the user interface panel related to DNSSEC (screenshot attached). I would
like to write a blog post specifically promoting the use of Jitsi and

DNSSEC,

but I need to understand these questions first:

1. What do you mean with the checkbox "Treat all domain names as

absolute"?

An account could be configured with non-qualified domain name or an FQDN
without the trailing dot. If the OS has one or more primary DNS suffix(es),
then this will be appended and a resolve is tried for each combination.
Actually, that is not directly related to DNSSEC, but if you have the
validation enabled you could receive multiple warnings. Treating all domain
names as absolute avoids that and ensures that for each name only one query
is sent out.

2. When check the box for "Enable DNSSEC resolver", does the app include

it's

own built-in DNSSEC-validating resolver? (I'm assuming it does)
     a. Or do you need to provide IP addresses in the "Custom name
     servers" box? b. If Jitsi does include it's own DNSSEC validating
     resolver, what is the point of the "Custom name servers" box?

Libunbound, the library Jitsi is using, is validating the DNSSEC chain, but
it's not a full resolver. Queries for DNSKEY, DS, etc. are sent to the OS's
resolver, of if configured, to the "Custom name servers".

The option to override the OS's default resolver is there because during
development, the only servers supporting all relevant record types where
from DNSOARC and Verizon.

The choice not to use libunbound as a fully recursive resolver was
performance and that it's for one simply not the job of an application to
perform recursive DNS queries.

3. What is the big box at the bottom of the panel with "Domain" and
"Behavior" for? Does a list get built up as you connect to DNSSEC-signed
domains and you can modify the behavior for each domain? I didn't see

any

way to add items to that box and so I'm assuming the list gets built by

the

Jitsi app.

Yes, the list gets filled as queries are sent through the DNSSEC resolver.

4. I actually have a fourth question I didn't ask the list - does this
DNSSEC validation work with IPv6?

I did not have any access to an IPv6 network when I developed that, but
there shouldn't be any reason that it's not supported.

Any assistance on those questions - or pointers to documentation about the
DNSSEC support, would be greatly appreciated.

Documentation is one of our issues :frowning:
I have plans for a Wiki in my mind with links on all those config pages, but
it's not ready yet.

Thanks,
Dan

Regards,
Ingo