[Dnsmasq-discuss] proxy-dnssec, how does it work (with unbound as upstream)
Dominik Derigs
dl6er at dl6er.de
Fri Apr 14 19:44:36 UTC 2023
Hey Simon,
On Thu, 2023-04-13 at 22:15 +0100, Simon Kelley wrote:
> I'd like to know how EDE replies are being used, and what the changes
> referred to in this statement by Peter are.
>
> "Note that the changes made by the pi-hole developers have been
> implemented in pi-hole-FTL, the dnsmasq code for proxy-dnssec hasn't
> been changed, so using EDE only works with pi-hole, not with the
> official dnsmasq v2.89"
When dnsmasq validates DNSSEC, the returned status
(SECURE/INSECURE/BOGUS/ABANDONED) is being shown next to the query on
the Pi-hole web interface. Without DNSSEC validation, all queries remain
in UNKNOWN DNSSEC status as far as Pi-hole is concerned.
This has recently been changed with adding support for proxy-dnssec.
When this option is used, Pi-hole checks the reply from dnsmasq for the
AD bit to tell apart IN-/SECURE. When SERVFAIL happens, EDE codes are
used to differentiate "normal" from DNSSEC-related reasons.
As I have mentioned before and we have discussed here, relying on the AD
bit for the IN-/SECURE determination is the best we have with proxy-
dnssec but it is by far not very good.
--dnssec still seems the best option to me.
Best,
Dominik
More information about the Dnsmasq-discuss
mailing list