[Dnsmasq-discuss] Servfail/bogus with DNSSEC and local unbound TLD

Simon Kelley simon at thekelleys.org.uk
Fri Aug 3 15:10:58 BST 2018 

Actually, my previous reply was wrong, you'll need to use the config

server=/local.tld/<address of unbound server>

to make this work.


Cheers,

Simon.

On 03/08/18 14:51, Simon Kelley wrote:
> As far as I can tell, the Pihole instructions for configuring Unbound
> specify that the local TLD should be configured as not DNSSEC signed.
> 
> As far as dnsmasq is concerned, therefore, any answers in the local TLD
> cannot be proven as valid, since they're unsigned, and it cannot be
> proven that the local TLD is unsigned, since there's no trust path from
> the root that proves that.
> 
> The BOGUS reply from dnsmasq is therefore quite correct.
> 
> THe fix for this is to tell dnsmasq that the local TLD is NOT DNSSEC signed.
> 
> something like
> 
> server=/local.tld/#
> 
> in the pihole dnsmasq config should do the trick.
> 
> 
> (Note that when researching this answer, I found a couple of corner-case
> bugs to do with this code, one of which is that the logging for that
> server line doesn't include the information that DNSSEC is disabled for
> t hat TLD. This shouldn't stop it working.
> 
> Cheers,
> 
> Simon.
> 
> 
> 
> On 03/08/18 13:14, Walter | Exclusive-IT wrote:
>>   	 
>>   	 
>>   	 
>>   	 
>>
>> Good day Sir,
>>
>> Mark, from Pi-hole, advised me to ask you about a possible DNSMasq
>> bug/issue through this channel.
>>
>> I would very much appreciate your thoughts on this issue:
>> https://github.com/pi-hole/FTL/issues/336
>>
>> Thank you in advance for your time,
>>
>> -- 
>>
>> *Met vriendelijke groet, kind regards,*
>> Walter van 't Hoff
>>
>> Exclusive-IT logo 	
>>
>> *Exclusive-IT*
>> t: +31 (0)6 2264 8629
>> e: walter at exclusive-it.nl <mailto:walter at exclusive-it.nl>
>> w: Exclusive-IT.nl <https://exclusive-it.nl>
>>
>> De informatie in dit e-mail bericht is vertrouwelijk en uitsluitend
>> bestemd voor de geadresseerde. Gebruik van deze informatie door anderen
>> dan de geadresseerde is niet toegestaan. Indien u dit bericht ten
>> onrechte ontvangt, wordt u verzocht de inhoud niet te gebruiken maar de
>> afzender direct te informeren door het bericht te retourneren en het
>> daarna te verwijderen. Openbaarmaking, vermenigvuldiging, verspreiding
>> en/of verstrekking van de in de e-mail ontvangen informatie aan derden
>> is niet toegestaan. Op alle diensten die wij verlenen zijn algemene
>> voorwaarden van toepassing die een beperking van onze aansprakelijkheid
>> bevatten. De algemene voorwaarden kunt u vinden en downloaden op
>> https://exclusive-it.nl/AlgemeneVoorwaarden.pdf - The information in
>> this e-mail is confidential and intended solely for the addressee. Use
>> of this information by others than the addressee is not allowed. If you
>> are not the intended recipient of this e-mail, you are hereby requested
>> to not use the contents but notify the sender immediately by returning
>> this e-mail and subsequently delete the message. Disclosure, copying,
>> distribution of the information in this e-mail to third parties is
>> prohibited and may be unlawful. All services we provide are subject to
>> our general terms and conditions which include a restriction of our
>> liability. You can find and download the general terms and conditions
>> (Dutch) on https://exclusive-it.nl/AlgemeneVoorwaarden.pdf.
>>
> 
> 
>

More information about the Dnsmasq-discuss mailing list