Provable DNS Queries

DNS-over-HTTPS has enabled application developers on the web to query arbitrary DNS records, allowing arbitrary lookups in a global human-readable-name database. This can allow developers to query data stored by arbitrary users in the global DNS heirarchy.

Sadly, DNS-over-HTTPS is generally implemented by fully trusting the resolver; accepting any data they give you as holy truth not to be questioned. Luckily, the DNS offers a better way.

DNS, in conjunction with being a global heirarchical database is also a global heirarchical PKI, allowing entries in the database to be signed by a series of keys leading ultimately to a single root trust anchor.

No need to mess with 100 fully-trusted certificate authorities that may or may not be compromised or simply sketchy. With the DNS, there's only one, and any keys below it are only allowed to sign for the part of the DNS they're responsible for.

Because this system is so straightforward, writing a full validator for DNS records using DNSSEC takes less than 100 lines of Rust (and a good cryptographic primitive library)!

This website demos such a validator, using the proof format from RFC 9102 to validate a full chain of DNS records and give you an answer to a lookup in the global DNS, without trusting the server! You can find the code for this validator and proof generation server on GitHub.

Domain (must be DNSSEC-signed):  
Record Type (currently only A/AAAA/TXT/TLSA):  
DoH Endpoint: