Since the lastest change (Conditional forwarding: Also forward unqualified host names by DL6ER · Pull Request #4287 · pi-hole/pi-hole · G) Pi-hole will forward Non-FQDNs to
rev-server if this is enabled.
In my config, my router is my DHCP server (distribution Pi-hole as DNS server) and it uses Pi-hole for itself as upstream server.
After installing a new client, which has DNSSEC enabled by default, a DNS loop happend: e.g. the client requested
query[DNSKEY] com which is a non-FQDN and therefore it was sent to my
rev-server instead of my local unbound instance. The router didn't know what to do and sent it back to Pi-hole creating a nice loop.
May workaround was to manually remove
server=//IP from the dnsmasq config file.
I'm not sure how to fix this - maybe make an exception for DNSSEC not to be send to the
rev-server? Make sure in such a configuration, the router des not use Pi-hole as upstream?
It's not only
DS but also
SOA which looped massively.
Use DNSSEC is off on Pi-hole as unbound is handling DNSSEC.