DNSSEC Questions and Default Setting

mcmehrtens · January 4, 2023, 4:17am

I was going through each configuration option for my Pi-hole docker container, and I decided to do a little digging into DNSSEC since I had seen it a few times but had no idea what it was.

After reading this article, I had some questions about how DNSSEC works with the Pi-hole and how it interacts with the public DNSs.

If the DNSSEC flag is set to false, will upstream DNSs still use DNSSEC if they support it?
Does the DNSSEC on Pi-hole only authenticate LAN resolutions?
Why isn't DNSSEC enabled by default, i.e., what are the downsides to DNSSEC that led the Pi-hole developers to disable it by default?
What should I be aware of before enabling it in my configuration?

I'm loving learning about Pi-hole and networking. Thanks all for this brilliant, open-source software

Cheers,
Matt

jfb · January 4, 2023, 4:42am

DNSSSEC results will not be processed by Pi-hole.

No. DNSSEC certs are typically provided by an authoritative nameserver if the domain owner has set this up.

Not all upstream DNS servers support DNSSEC. In addition, I would estimate that only a small fraction of domains have DNSSEC signatures (perhaps 10-15% max).

Make sure your upstream DNS server supports this.

system · January 11, 2023, 4:42am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.