dnsmasq with unbound as upstream - DNSSEC

George (Yorgos) Thessalonikefs george at nlnetlabs.nl
Wed Apr 5 10:54:47 UTC 2023


Hi Peter,

Unbound with DNSSEC validation configured will reply with the AD bit for 
secure answers and SERVFAIL for bogus answers. Insecure answer will get 
the answer without the AD bit set.

Newer versions (>= 1.16.0) will also attach EDE codes for DNSSEC 
validation failures to the SERVFAIL answers.

So I believe proxy-dnssec would do what you want since both software are 
installed on the same machine.

Not sure what a "... more correct result than the current SERVFAIL, 
which is the result if DNSSEC validation by unbound fails." is though :)

Best regards,
-- Yorgos

On 03/04/2023 10:20, Peter Russel via Unbound-users wrote:
> I'm using dnsmasq (pihole-FTL) as DNS server for clients, unbound
> (compiled from GitHub repository) as upstream for dnsmasq, both
> running on the same machine.
> 
> dnsmasq has a setting 'proxy-dnssec', description in the dnsmasq man
> page (https://dnsmasq.org/docs/dnsmasq-man.html), description:
> 
> --proxy-dnssec Copy the DNSSEC Authenticated Data bit from upstream
> servers to downstream clients. This is an alternative to having
> dnsmasq validate DNSSEC, but it depends on the security of the network
> between dnsmasq and the upstream servers, and the trustworthiness of
> the upstream servers. Note that caching the Authenticated Data bit
> correctly in all cases is not technically possible. If the AD bit is
> to be relied upon when using this option, then the cache should be
> disabled using --cache-size=0.
> 
> Q: can unbound be configured to provide this information to the
> downstream dnsmasq, if 'yes', how, if 'no' feature request...
> 
> Unbound is configured to use DNSSEC validation, dnsmasq isn't. The
> proxy-dnssec option would (hopefully) be usable to provide a more
> correct result than the current SERVFAIL, which is the result if
> DNSSEC validation by unbound fails.


More information about the Unbound-users mailing list