[Dnsmasq-discuss] proxy-dnssec, how does it work (with unbound as upstream)

Dominik Derigs dl6er at dl6er.de
Fri Apr 14 19:44:36 UTC 2023


Hey Simon,

On Thu, 2023-04-13 at 22:15 +0100, Simon Kelley wrote:
> I'd like to know how EDE replies are being used, and what the changes 
> referred to in this statement by Peter are.
> 
> "Note that the changes made by the pi-hole developers have been
> implemented in pi-hole-FTL, the dnsmasq code for proxy-dnssec hasn't
> been changed, so using EDE only works with pi-hole, not with the
> official dnsmasq v2.89"

When dnsmasq validates DNSSEC, the returned status
(SECURE/INSECURE/BOGUS/ABANDONED) is being shown next to the query on
the Pi-hole web interface. Without DNSSEC validation, all queries remain
in UNKNOWN DNSSEC status as far as Pi-hole is concerned.

This has recently been changed with adding support for proxy-dnssec.
When this option is used, Pi-hole checks the reply from dnsmasq for the
AD bit to tell apart IN-/SECURE. When SERVFAIL happens, EDE codes are
used to differentiate "normal" from DNSSEC-related reasons.

As I have mentioned before and we have discussed here, relying on the AD
bit for the IN-/SECURE determination is the best we have with proxy-
dnssec but it is by far not very good.

--dnssec still seems the best option to me.

Best,
Dominik



More information about the Dnsmasq-discuss mailing list