[Dnsmasq-discuss] proxy-dnssec, how does it work (with unbound as upstream)

Simon Kelley simon at thekelleys.org.uk
Thu Apr 13 09:20:14 UTC 2023 


On 13/04/2023 07:37, Peter Russel wrote:
> Hi Simon
> 
> Unfortunately, it looks like I've been shouting victory a little soon.
> 
> The results are perfect when using dig, however, when using a browser
> (firefox, edge) the results are unreliable / inconsistent.
> 
> The assumption is that adding the setting "add-cpe-id=01234" ensures
> dnsmasq will ALWAYS request EDE information from upstream (unbound).
> Can you confirm this?

Assuming that by "request EDE information" you mean, "add an EDNS0 RR to 
the query so that unbound has somewhere to return the EDE record" then
the only obvious condition where this won't happen as a result of 
configuring "add-cpe" is if doing so would make the UDP packet too 
large. Since we're talking about queries and not answers here, that's 
very unlikely. It does raise the question of what Unbound does when 
adding EDE information pushes an answer over the packet size limit. Does 
it ditch the EDE, or set the truncated bit to force a retry over TCP?

> 
> There are currently 2 possible causes why it doesn't work perfectly.
> 
> 1. the dnsmasq setting "add-cpe-id=01234" doesn't do what is expected
> (always request EDE)
> 
> 2. unbound doesn't store the EDE information in it's cache. Apparently
> there are two PRs that haven't been merged in to master yet, that
> would accomplish this, see the unbound issue
> https://github.com/NLnetLabs/unbound/issues/873, comment from gthess.
> 
> Note that I also have knot-resolver installed on my system (using it
> for script related tasks - normally inactive).
> The pi-hole scripts will use knot-resolver as upstream (configured
> using server= dnsmasq setting, example
> "server=/v.firebog.net/127.10.10.5#5555"). The results from queries
> with knot-resolver as upstream are also inconsistent. I have no idea
> if knot-resolver caches EDE info, there is a lot less info available
> for knot-resolver...
> 
> I'm waiting for the unbound PR's to be merged in to master, so I can
> compile unbound with these changes, possibly excluding or confirming
> this as the cause.
> 
> Could you confirm the setting "add-cpe-id=01234" does instruct dnsmasq
> to always request EDE, if NOT, is it possible to do this in another
> way?
> 
> Note that the changes made by the pi-hole developers have been
> implemented in pi-hole-FTL, the dnsmasq code for proxy-dnssec hasn't
> been changed, so using EDE only works with pi-hole, not with the
> official dnsmasq v2.89
> 
> Don't know if you have a direct line with the pi-hole developer, if
> you do, you could discuss this directly, I'm just the middle man here,
> knowledgeable enough to test, not to change the code...


I'm in contact with the pi-hole people.


Can  I ask a favour? Could you post here a summary of what you're trying 
to achieve, what the problem(s) are and what the solutions are? The 
thread you posted no doubt has that information, but extracting it when 
coming in cold is hard and time-consuming.

Cheers,

Simon.

> 
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
>

More information about the Dnsmasq-discuss mailing list