[GH-ISSUE #24470] feat: [Security Enhancement] Enable DNSSEC #91048

Closed
opened 2026-05-15 16:19:12 -05:00 by GiteaMirror · 8 comments
Owner

Originally created by @thegreatGreenstar on GitHub (May 8, 2026).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/24470

Check Existing Issues

  • I have searched for all existing open AND closed issues and discussions for similar requests. I have found none that is comparable to my request.

Verify Feature Scope

  • I have read through and understood the scope definition for feature requests in the Issues section. I believe my feature request meets the definition and belongs in the Issues section instead of the Discussions.

Problem Description

Website has DNSSEC disabled, this reduces the security of the site.
https://www.cloudflare.com/learning/dns/dns-security/

Desired Solution you'd like

DNSSEC to be enabled at the domain level.
https://developers.cloudflare.com/dns/dnssec/#enable-dnssec

Additional Context

To enable DNSSEC is incredibly simple through your Cloudflare usage.
Simply go through: https://developers.cloudflare.com/dns/dnssec/#enable-dnssec
and follow the instructions.

Originally created by @thegreatGreenstar on GitHub (May 8, 2026). Original GitHub issue: https://github.com/open-webui/open-webui/issues/24470 ### Check Existing Issues - [x] I have searched for all existing **open AND closed** issues and discussions for similar requests. I have found none that is comparable to my request. ### Verify Feature Scope - [x] I have read through and understood the scope definition for feature requests in the Issues section. I believe my feature request meets the definition and belongs in the Issues section instead of the Discussions. ### Problem Description Website has DNSSEC disabled, this reduces the security of the site. https://www.cloudflare.com/learning/dns/dns-security/ ### Desired Solution you'd like DNSSEC to be enabled at the domain level. https://developers.cloudflare.com/dns/dnssec/#enable-dnssec ### Additional Context To enable DNSSEC is incredibly simple through your Cloudflare usage. Simply go through: https://developers.cloudflare.com/dns/dnssec/#enable-dnssec and follow the instructions.
Author
Owner

@owui-terminator[bot] commented on GitHub (May 8, 2026):

⚠️ Missing Issue Title Prefix

@thegreatGreenstar, your issue title is missing a categorising prefix (e.g. bug:, feat:, docs:).

Please update the title to lead with one of:

  • bug: bug report or error
  • feat: feature request or enhancement
  • docs: documentation issue
  • question: usage question
  • help: support request

Example: bug: Login fails when the password contains special characters

<!-- gh-comment-id:4409661205 --> @owui-terminator[bot] commented on GitHub (May 8, 2026): # ⚠️ Missing Issue Title Prefix @thegreatGreenstar, your issue title is missing a categorising prefix (e.g. `bug:`, `feat:`, `docs:`). Please update the title to lead with one of: - **bug**: bug report or error - **feat**: feature request or enhancement - **docs**: documentation issue - **question**: usage question - **help**: support request Example: `bug: Login fails when the password contains special characters`
Author
Owner

@Classic298 commented on GitHub (May 8, 2026):

then enable dnssec at your reverse proxy. open webui is not your TLS endpoint

<!-- gh-comment-id:4409670776 --> @Classic298 commented on GitHub (May 8, 2026): then enable dnssec at your reverse proxy. open webui is not your TLS endpoint
Author
Owner

@thegreatGreenstar commented on GitHub (May 8, 2026):

then enable dnssec at your reverse proxy. open webui is not your TLS endpoint
@Classic298

What?
This is about protecting the site itself, to ensure requests are not routed to a spoofed domain.
Before even doing anything else, the site itself. This also won't cause any breakage. There should be no reason to have this disabled unless actively transferring the site.

<!-- gh-comment-id:4409686886 --> @thegreatGreenstar commented on GitHub (May 8, 2026): > then enable dnssec at your reverse proxy. open webui is not your TLS endpoint @Classic298 What? This is about protecting the site itself, to ensure requests are not routed to a spoofed domain. Before even doing anything else, the site itself. This also won't cause any breakage. There should be no reason to have this disabled unless actively transferring the site.
Author
Owner

@thegreatGreenstar commented on GitHub (May 8, 2026):

Something like HSTS, sure you may not want to use that, if you want to allow http connections.
But there is no reason the site should have DNSSEC enabled.

<!-- gh-comment-id:4409708807 --> @thegreatGreenstar commented on GitHub (May 8, 2026): Something like HSTS, sure you may not want to use that, if you want to allow http connections. But there is no reason the site should have DNSSEC enabled.
Author
Owner

@Classic298 commented on GitHub (May 8, 2026):

why would open webui be responsible for enabling DNSSEC

<!-- gh-comment-id:4409709999 --> @Classic298 commented on GitHub (May 8, 2026): why would open webui be responsible for enabling DNSSEC
Author
Owner

@Classic298 commented on GitHub (May 8, 2026):

?

<!-- gh-comment-id:4409722210 --> @Classic298 commented on GitHub (May 8, 2026): ?
Author
Owner

@thegreatGreenstar commented on GitHub (May 8, 2026):

To secure the website itself. https://openwebui.com
So when people access the blog, log in, etc, they are actually accessing the real website, rather than something else.

<!-- gh-comment-id:4409724876 --> @thegreatGreenstar commented on GitHub (May 8, 2026): To secure the website itself. https://openwebui.com So when people access the blog, log in, etc, they are actually accessing the real website, rather than something else.
Author
Owner

@Classic298 commented on GitHub (May 8, 2026):

aha you mean openwebui.com !

Why didn't you say so in your original issue straight away? You opened it against the openwebui repository. Open it against the community website repo so this can be tracked

<!-- gh-comment-id:4409742906 --> @Classic298 commented on GitHub (May 8, 2026): aha you mean openwebui.com ! Why didn't you say so in your original issue straight away? You opened it against the openwebui repository. Open it against the community website repo so this can be tracked
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#91048