Cisco Umbrella is happy to announce General Availability for DNSSEC support in our DNS resolvers. With this release, the Cisco Umbrella resolvers will act as fully RFC compliant security aware resolvers by performing DNSSEC validation on queries to authoritative nameservers for signed zones.
The full scope of our support for DNSSEC can be found here:
All Umbrella resolvers will now validate all DNSSEC signed zones, and return a SERVFAIL response for records that fail validation. In addition, Umbrella supports the use of the DO bit in queries to return security records for users who wish to troubleshoot issues with validation.
Umbrella does not recommend that local DNS servers forwarding to our resolvers enable DNSSEC validation themselves. Instead clients should ensure that communication between themselves and the Umbrella resolvers is encrypted.
Umbrella recommends the use of DNSCrypt to provide a cryptographically secure method of communication and proof of identity. Both the Umbrella Roaming Client and the Umbrella Virtual Appliance use DNSCrypt in their default configurations.