Hey Simon, On Thu, 2023-04-13 at 22:15 +0100, Simon Kelley wrote: > I'd like to know how EDE replies are being used, and what the changes > referred to in this statement by Peter are. > > "Note that the changes made by the pi-hole developers have been > implemented in pi-hole-FTL, the dnsmasq code for proxy-dnssec hasn't > been changed, so using EDE only works with pi-hole, not with the > official dnsmasq v2.89"
When dnsmasq validates DNSSEC, the returned status (SECURE/INSECURE/BOGUS/ABANDONED) is being shown next to the query on the Pi-hole web interface. Without DNSSEC validation, all queries remain in UNKNOWN DNSSEC status as far as Pi-hole is concerned. This has recently been changed with adding support for proxy-dnssec. When this option is used, Pi-hole checks the reply from dnsmasq for the AD bit to tell apart IN-/SECURE. When SERVFAIL happens, EDE codes are used to differentiate "normal" from DNSSEC-related reasons. As I have mentioned before and we have discussed here, relying on the AD bit for the IN-/SECURE determination is the best we have with proxy- dnssec but it is by far not very good. --dnssec still seems the best option to me. Best, Dominik _______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
