DNSSEC Automatic Pinning?


I was wondering whether there were already some thoughts about adding an option to Pi-Hole to remember all the domains which have already been verified (DNSSEC) successfully. If such a “learned” domain would appear without DNSSEC record, it would be treated as bogus instead of insecure.


Wouldn’t this break things if the domain intended to be no longer DNSSEC? In which cases would this be helpful?

(And if you want to suggest a feature, please open a topic in the Feature Request area.)

It would mitigate man in the middle attacks altering the DNS record and pretending the DNS record to be not signed.

Yes it would break those domains switching DNSSEC off. However, I suggest this should be the exception and maybe the feature not enabled by default so only users knowing what it is about would enable it.

@DanSchaper: Could you please move the topic or should I reopen it?

I’m not aware how a record could be altered in that way. An attacker would have to change the records at the authoritative DNS server to do anything. Do you have some documentation that explains this mode of attack and how it works?