I'm using dnsmasq (pihole-FTL) as DNS server for clients, unbound (compiled from GitHub repository) as upstream for dnsmasq, both running on the same machine.
dnsmasq has a setting 'proxy-dnssec', description in the dnsmasq man page (https://dnsmasq.org/docs/dnsmasq-man.html), description: --proxy-dnssec Copy the DNSSEC Authenticated Data bit from upstream servers to downstream clients. This is an alternative to having dnsmasq validate DNSSEC, but it depends on the security of the network between dnsmasq and the upstream servers, and the trustworthiness of the upstream servers. Note that caching the Authenticated Data bit correctly in all cases is not technically possible. If the AD bit is to be relied upon when using this option, then the cache should be disabled using --cache-size=0. Q: can unbound be configured to provide this information to the downstream dnsmasq, if 'yes', how, if 'no' feature request... Unbound is configured to use DNSSEC validation, dnsmasq isn't. The proxy-dnssec option would (hopefully) be usable to provide a more correct result than the current SERVFAIL, which is the result if DNSSEC validation by unbound fails.
