DNSSEC Questions and Default Setting

I was going through each configuration option for my Pi-hole docker container, and I decided to do a little digging into DNSSEC since I had seen it a few times but had no idea what it was.

After reading this article, I had some questions about how DNSSEC works with the Pi-hole and how it interacts with the public DNSs.

  • If the DNSSEC flag is set to false, will upstream DNSs still use DNSSEC if they support it?
  • Does the DNSSEC on Pi-hole only authenticate LAN resolutions?
  • Why isn't DNSSEC enabled by default, i.e., what are the downsides to DNSSEC that led the Pi-hole developers to disable it by default?
  • What should I be aware of before enabling it in my configuration?

I'm loving learning about Pi-hole and networking. Thanks all for this brilliant, open-source software :slight_smile:


DNSSSEC results will not be processed by Pi-hole.

No. DNSSEC certs are typically provided by an authoritative nameserver if the domain owner has set this up.

Not all upstream DNS servers support DNSSEC. In addition, I would estimate that only a small fraction of domains have DNSSEC signatures (perhaps 10-15% max).

Make sure your upstream DNS server supports this.

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.