dnsmasq with unbound as upstream - DNSSEC

Peter Russel jpgpi250 at gmail.com
Mon Apr 3 08:20:44 UTC 2023

I'm using dnsmasq (pihole-FTL) as DNS server for clients, unbound
(compiled from GitHub repository) as upstream for dnsmasq, both
running on the same machine.

dnsmasq has a setting 'proxy-dnssec', description in the dnsmasq man
page (https://dnsmasq.org/docs/dnsmasq-man.html), description:

--proxy-dnssec Copy the DNSSEC Authenticated Data bit from upstream
servers to downstream clients. This is an alternative to having
dnsmasq validate DNSSEC, but it depends on the security of the network
between dnsmasq and the upstream servers, and the trustworthiness of
the upstream servers. Note that caching the Authenticated Data bit
correctly in all cases is not technically possible. If the AD bit is
to be relied upon when using this option, then the cache should be
disabled using --cache-size=0.

Q: can unbound be configured to provide this information to the
downstream dnsmasq, if 'yes', how, if 'no' feature request...

Unbound is configured to use DNSSEC validation, dnsmasq isn't. The
proxy-dnssec option would (hopefully) be usable to provide a more
correct result than the current SERVFAIL, which is the result if
DNSSEC validation by unbound fails.

More information about the Unbound-users mailing list