I'm using dnsmasq (pihole-FTL) as DNS server for clients, unbound
dnsmasq has a setting 'proxy-dnssec', description in the dnsmasq manhttps://dnsmasq.org/docs/dnsmasq-man.html ), description:
--proxy-dnssec Copy the DNSSEC Authenticated Data bit from upstream
Q: can unbound be configured to provide this information to the
Unbound is configured to use DNSSEC validation, dnsmasq isn't. The
Hi Peter,
Unbound with DNSSEC validation configured will reply with the AD bit for secure answers and SERVFAIL for bogus answers. Insecure answer will get the answer without the AD bit set.
Newer versions (>= 1.16.0) will also attach EDE codes for DNSSEC validation failures to the SERVFAIL answers.
So I believe proxy-dnssec would do what you want since both software are installed on the same machine.
Not sure what a "... more correct result than the current SERVFAIL, which is the result if DNSSEC validation by unbound fails." is though
Best regards,
Hi George
There may be a bug in the code that attaches EDE codes for DNSSEC
I've created an unbound issue here:
opened 01:31PM - 08 Apr 23 UTC
closed 10:10AM - 30 Jul 23 UTC
**Describe the bug**
Asked this question in the unbound mailing list (https://l… ists.nlnetlabs.nl/pipermail/unbound-users/2023-April/008069.html).
George (Yorgos) Thessalonikefs answered this is possible by using "EDE codes for DNSSEC validation failures to the SERVFAIL answers".
The FTL developer has added code to evaluate these codes, however, the results are inconsistent.
After investigating this, it turns out **the EDE codes are NOT always present in the reply**, the pi-hole topic has an attachment whith extended **log**ging from pihole-FTL (= dnsmasq) and a **pcap** file that clearly shows the missing EDE information. The pi-hole topic, start reading from here: https://discourse.pi-hole.net/t/dnssec-discussion-support-for-proxy-dnssec/62217/17
The **pcap** file and **log** is found in the next entry (18)
**To reproduce**
run unbound with "ede: yes", check the replies from unbound -> downstream.
- dig www.dnssec-failed.org (on linux host) -> OK
- browse (Microsoft Edge or Firefox) to www.dnssec-failed.org -> fail
**Expected behavior**
return EDE information for all queries, if available.
the strange thing is it works (EDE is returned) for dig requests (dig A www.dnssec-failed.org and dig AAAA www.dnssec-failed.org), but fails when a browser is making the request (open www.dnssec-failed.org in Microsoft edge and / or Firefox)
**System:**
- Unbound version: 1.17.2 (compiled from GitHub source)
- OS: raspbian on raspberry pi 3B (Linux raspberrypi 6.1.21-v7+ #1642 SMP Mon Apr 3 17:20:52 BST 2023 armv7l GNU/Linux)
- `unbound -V` output:
```
Version 1.17.2
Configure line: --prefix=/usr --sysconfdir=/etc --disable-static --enable-tfo-client --enable-tfo-server --with-libevent --with-libhiredis --enable-cachedb --with-pidfile=/run/unbound.pid
Linked libs: libevent 2.1.12-stable (it uses epoll), OpenSSL 1.1.1n 15 Mar 2022
Linked modules: dns64 cachedb respip validator iterator
TCP Fastopen feature available
```
**Additional information**
The goal is to run pihole-FTL (= dnsmasq) with option proxy-dnssec. This appears to be working, but the EDE information isn't always present.
Apparently, the EDE codes aren't always present, extensive log andDNSSEC discussion - support for proxy-dnssec - #21 by DL6ER - General - Pi-hole Userspace )
can you please have a look
Thanks
SOLVED
The developers added code to pihole-FTL, which is the latest dnsmasq +
More info (links can be found in the issue (closed) here:
opened 01:31PM - 08 Apr 23 UTC
closed 10:10AM - 30 Jul 23 UTC
**Describe the bug**
Asked this question in the unbound mailing list (https://l… ists.nlnetlabs.nl/pipermail/unbound-users/2023-April/008069.html).
George (Yorgos) Thessalonikefs answered this is possible by using "EDE codes for DNSSEC validation failures to the SERVFAIL answers".
The FTL developer has added code to evaluate these codes, however, the results are inconsistent.
After investigating this, it turns out **the EDE codes are NOT always present in the reply**, the pi-hole topic has an attachment whith extended **log**ging from pihole-FTL (= dnsmasq) and a **pcap** file that clearly shows the missing EDE information. The pi-hole topic, start reading from here: https://discourse.pi-hole.net/t/dnssec-discussion-support-for-proxy-dnssec/62217/17
The **pcap** file and **log** is found in the next entry (18)
**To reproduce**
run unbound with "ede: yes", check the replies from unbound -> downstream.
- dig www.dnssec-failed.org (on linux host) -> OK
- browse (Microsoft Edge or Firefox) to www.dnssec-failed.org -> fail
**Expected behavior**
return EDE information for all queries, if available.
the strange thing is it works (EDE is returned) for dig requests (dig A www.dnssec-failed.org and dig AAAA www.dnssec-failed.org), but fails when a browser is making the request (open www.dnssec-failed.org in Microsoft edge and / or Firefox)
**System:**
- Unbound version: 1.17.2 (compiled from GitHub source)
- OS: raspbian on raspberry pi 3B (Linux raspberrypi 6.1.21-v7+ #1642 SMP Mon Apr 3 17:20:52 BST 2023 armv7l GNU/Linux)
- `unbound -V` output:
```
Version 1.17.2
Configure line: --prefix=/usr --sysconfdir=/etc --disable-static --enable-tfo-client --enable-tfo-server --with-libevent --with-libhiredis --enable-cachedb --with-pidfile=/run/unbound.pid
Linked libs: libevent 2.1.12-stable (it uses epoll), OpenSSL 1.1.1n 15 Mar 2022
Linked modules: dns64 cachedb respip validator iterator
TCP Fastopen feature available
```
**Additional information**
The goal is to run pihole-FTL (= dnsmasq) with option proxy-dnssec. This appears to be working, but the EDE information isn't always present.
full story (pi-hole forum) here:
pihole checkout ftl update/dnsmasq Pi-hole version is v5.16.2 (Latest: v5.16.2) AdminLTE version is v5.19 (Latest: v5.19) FTL version is update/dnsmasq vDev-879708d (Latest: v5.22) pihole -vv doesn't show a difference (for dnsmasq)...
Reading time: 13 mins 🕑
Likes: 5 ❤
