Hi Peter,
Unbound with DNSSEC validation configured will reply with the AD bit for
secure answers and SERVFAIL for bogus answers. Insecure answer will get
the answer without the AD bit set.
Newer versions (>= 1.16.0) will also attach EDE codes for DNSSEC
validation failures to the SERVFAIL answers.
So I believe proxy-dnssec would do what you want since both software are
installed on the same machine.
Not sure what a "... more correct result than the current SERVFAIL,
which is the result if DNSSEC validation by unbound fails." is though :)
Best regards,
-- Yorgos
On 03/04/2023 10:20, Peter Russel via Unbound-users wrote:
I'm using dnsmasq (pihole-FTL) as DNS server for clients, unbound
(compiled from GitHub repository) as upstream for dnsmasq, both
running on the same machine.
dnsmasq has a setting 'proxy-dnssec', description in the dnsmasq man
page (https://dnsmasq.org/docs/dnsmasq-man.html), description:
--proxy-dnssec Copy the DNSSEC Authenticated Data bit from upstream
servers to downstream clients. This is an alternative to having
dnsmasq validate DNSSEC, but it depends on the security of the network
between dnsmasq and the upstream servers, and the trustworthiness of
the upstream servers. Note that caching the Authenticated Data bit
correctly in all cases is not technically possible. If the AD bit is
to be relied upon when using this option, then the cache should be
disabled using --cache-size=0.
Q: can unbound be configured to provide this information to the
downstream dnsmasq, if 'yes', how, if 'no' feature request...
Unbound is configured to use DNSSEC validation, dnsmasq isn't. The
proxy-dnssec option would (hopefully) be usable to provide a more
correct result than the current SERVFAIL, which is the result if
DNSSEC validation by unbound fails.
