[Dnsmasq-discuss] DNSSEC + No Cache not possible

Simon Kelley simon at thekelleys.org.uk
Thu Feb 20 21:39:34 GMT 2020

On 17/02/2020 04:14, Marc Dirsus wrote:
> Reffering to this github issue it seems that dnsmasq cant disable
> caching when dnssec is enabled. I and other would love to see this
> changed. I have a unbound server installed and get statistics from there
> that ar way to low because pi-hole or better dnsmasq is caching before. 
> i could disable dnssec but i dont want to do that and no one should
> disable this. 
> https://github.com/pi-hole/FTL/issues/692
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

The cache is integral to DNSSEC validation because the validation
requires the use of a whole set of RRsets. The only way to have all
those RRsets is to put them in the cache.

It would be possible to have dnsmasq use the cache for DNSSEC
validation, but not to answer queries, but that doesn't seem like a
particularly useful thing to do.

A quick look at the dnsmasq man page shows that we're not afraid to add
options, but options really have to make sense and be useful to a
significant number of people, not just a way to remove an annoyance in
one installation. Your task, therefore, is to show that an option which
leaves the cache intact but disables it's use for answering queries, is
a generally useful feature.



More information about the Dnsmasq-discuss mailing list