[Dnsmasq-discuss] Possible to enable DNSSEC only for specific upstream servers?

[Kevin P. Fleming]

I use dnsmasq on my OpenWrt-based travel router, and generally it works great. I want to enable DNSSEC validation for a domain that I operate, and to do that I've installed a trust anchor for the domain and configured a 'server' entry to route requests for that domain to a recursive resolver that I run (over a Wireguard VPN).

Unfortunately when the 'general' usptream resolvers provided by the hotel/airplane/etc. don't provide RRSIG in their responses, I have to disable the global 'dnssec' setting in dnsmasq, otherwise all DNS resolution is broken.

My ideal configuration would be to have DNSSEC validation disabled globally, but enabled specifically for the one domain where I've provided a trust anchor and upstream server (separate from the ones provided by the DHCP client).

Can anyone suggest a configuration which might accomplish this? Would removing the root trust anchors solve this issue?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20241019/8869fb63/attachment.htm>