Hmm, interesting, compare this to the logs on my Pi-hole:
Normal query
Dec 15 15:18:29 dnsmasq[2279871]: query[A] midov.pl from 127.0.0.1
Dec 15 15:18:29 dnsmasq[2279871]: forwarded midov.pl to 127.0.0.1#5335
Dec 15 15:18:29 dnsmasq[2279871]: dnssec-query[DS] pl to 127.0.0.1#5335
Dec 15 15:18:29 dnsmasq[2279871]: reply pl is DS keytag 38491, algo 8, digest 2
Dec 15 15:18:29 dnsmasq[2279871]: reply pl is DS keytag 59899, algo 8, digest 2
Dec 15 15:18:29 dnsmasq[2279871]: dnssec-query[DS] midov.pl to 127.0.0.1#5335
Dec 15 15:18:30 dnsmasq[2279871]: dnssec-query[DNSKEY] pl to 127.0.0.1#5335
Dec 15 15:18:30 dnsmasq[2279871]: reply pl is DNSKEY keytag 22188, algo 8
Dec 15 15:18:30 dnsmasq[2279871]: reply pl is DNSKEY keytag 31164, algo 8
Dec 15 15:18:30 dnsmasq[2279871]: reply pl is DNSKEY keytag 59899, algo 8
Dec 15 15:18:30 dnsmasq[2279871]: reply pl is DNSKEY keytag 38491, algo 8
Dec 15 15:18:30 dnsmasq[2279871]: reply midov.pl is no DS
Dec 15 15:18:30 dnsmasq[2279871]: validation result is INSECURE
Dec 15 15:18:30 dnsmasq[2279871]: reply midov.pl is 37.247.57.95
cleared cache
And now explicitly asking for DS
:
$ dig +dnssec midov.pl DS @127.0.0.1
; <<>> DiG 9.18.1-1ubuntu1.2-Ubuntu <<>> +dnssec midov.pl DS @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17216
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;midov.pl. IN DS
;; AUTHORITY SECTION:
pl. 3527 IN SOA a-dns.pl. dnsmaster.nask.pl. 1671105630 900 300 2592000 3600
pl. 3527 IN RRSIG SOA 8 1 86400 20230114141003 20221215131003 22188 pl. Kz6fXFgo2agOXrldmQvZS5wpkm6UPFPQPXcuLCIB34dwLuIWD13hYIge /N02vdMh/p8Sgz1LDX7EWloUsXRtFcXfvjoZFdsjZl27spHZS3oGOuLZ 1FbgijC0XUx41zpFgLMkeXNHAhhSmTf5lWoagYozGCKj7XetKGWYBdSq gDxzZoUXL+nWRaubFWTr2K/W/BCpxv57Rf+FKZh4Vq38kJa+xw8L4Sfg /iyTAZGvceRG6spAdyw/h+P4A9dKS7LTSobUwEt9Um3fqB5S5oWmVL8u BmTGC2BPOZg6V+G9y1Pg4e67Eqtok0CpbtNnJ4kLBOMcqsSSWkfy6sP+ Baq0Kw==
HJH3QODF72BCSOSF30PAIV5CFNE30109.pl. 3527 IN NSEC3 1 1 12 072E695EC656851B HJHATK9QD0Q281BOKJ6H4UQN8M301A2H NS SOA TXT RRSIG DNSKEY NSEC3PARAM
HJH3QODF72BCSOSF30PAIV5CFNE30109.pl. 3527 IN RRSIG NSEC3 8 2 3600 20230110120000 20221211120000 22188 pl. Gyb91LIcM8g/CkvwBmF8tiunu5PS/jLlfgX1ibV5w2rBlZq5MXNDPsOr fQM4hR+65EMPow5ukfNUQn6h1hrT1hIW9akMeD/2wo9dvUdyORban5jf oxOD8D+7h8hhd+sq0PjecxetVqOAsr9cBO5UvJ29K7GmJnNcyyofxERo 90OrDl4CB+NOdNloniLvwfop7SGlGVK+VDck20sOZjlHQfSGj0HAhWE5 pCOTOMnuQCloCyQ89WWEyx/rVxc8Wgf+aV8y56zigSq22jFNxH4cdIk0 XB7XwsBleniM7dkD+tbt1XZGGr3VVAylXsh302C6xnpTNvcACleOvuHo dbdouA==
EJSSG2FFSIRDL0F0I65I0POD2MQ1TBHM.pl. 3527 IN NSEC3 1 1 12 072E695EC656851B EJT0N52KGBQCEH93D7B6GCLB7288F4DT NS DS RRSIG
EJSSG2FFSIRDL0F0I65I0POD2MQ1TBHM.pl. 3527 IN RRSIG NSEC3 8 2 3600 20230110120000 20221211120000 22188 pl. GSDZ97ckltARNZkBzfLJsy6vJtWncvuo4oa/2ys/mIWRsT1kESnnpiml 4oumpO73ECzzlFocnLao2abvnBrd/LnnNyB0ghYRTw8jdHdlcGEWXQFa oVfPFqnh8wdmhU8yUzQErqnQRSFZ0zLVagoSyH83DS3wUVHGsva7XvUs 4kYljKTX+3dLkFbm7lh7lSRqVq4JZpjXXoonAXXFQc9RcsbNjJMzmYE8 3wThZ9DuMXMzdVsMZn7VTzkSvYtU7zOlngpN6AZy04h87KWd5Cn4h78R OQcOvx6BB2nbHKb1l7oGRs0qcdh3/5CkgIPBSOpHmPFG9ZTm3RBXScFm eTMCGQ==
;; Query time: 4 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Thu Dec 15 15:19:43 CET 2022
;; MSG SIZE rcvd: 1139
Related log lines:
Dec 15 15:20:39 dnsmasq[2280085]: query[DS] midov.pl from 127.0.0.1
Dec 15 15:20:39 dnsmasq[2280085]: forwarded midov.pl to 127.0.0.1#5335
Dec 15 15:20:39 dnsmasq[2280085]: dnssec-query[DS] pl to 127.0.0.1#5335
Dec 15 15:20:39 dnsmasq[2280085]: reply pl is DS keytag 38491, algo 8, digest 2
Dec 15 15:20:39 dnsmasq[2280085]: reply pl is DS keytag 59899, algo 8, digest 2
Dec 15 15:20:39 dnsmasq[2280085]: dnssec-query[DNSKEY] pl to 127.0.0.1#5335
Dec 15 15:20:39 dnsmasq[2280085]: reply pl is DNSKEY keytag 38491, algo 8
Dec 15 15:20:39 dnsmasq[2280085]: reply pl is DNSKEY keytag 22188, algo 8
Dec 15 15:20:39 dnsmasq[2280085]: reply pl is DNSKEY keytag 31164, algo 8
Dec 15 15:20:39 dnsmasq[2280085]: reply pl is DNSKEY keytag 59899, algo 8
Dec 15 15:20:39 dnsmasq[2280085]: validation result is SECURE
Dec 15 15:20:39 dnsmasq[2280085]: reply midov.pl is NODATA
As your are getting the BOGUS
reply apparently as a result of whatever the reply to the dnssec-query[DNSKEY] pl
returned is, I'd like to ask you trying to point your Pi-hole directly to your unbound
for testing purposes (so skip the detour over the openwrt
dnsmasq
for now).
The next step would be to create a network packet recording for an in-depth analysis. As this is always considerable amounts of work, it'd be good it we find the answer using other means.