DNSSEC SECURE not appearing in cache

Hi, I have set DNSSEC on PiHole (Raspberry), I can see some sites DNS are SECURE and some INSECURE in the log. However, when I look at the PiHole cache, I only see INSECURE. Does this indicate that SECURE entries are not cached? I am also running Unbound on the Raspberry, is SECURE in the Unbound cache? Thx

How are you inspecting the Pi-hole cache?

Screenshot 2022-08-04 at 14.09.18

Clicking 'cached' here

I can't confirm this:
When analysing my long term database, I see cached replies (queries.status=3) with SECURE as well as INSECURE DNSSEC status codes:

pihole-FTL sqlite3 -header -column /etc/pihole/pihole-FTL.db "SELECT CASE dnssec \
WHEN 0 THEN 'unknown' \
WHEN 1 THEN 'SECURE' \
WHEN 2 THEN 'INSECURE' \
WHEN 3 THEN 'BOGUS' \
WHEN 4 THEN 'ABANDONED' \
ELSE '?non-DNSSEC?' \
END AS dnssec_status, count(domain) FROM queries \
WHERE STATUS == 3 \
GROUP BY dnssec_status;"
dnssec_status  count(domain)
-------------  -------------
?non-DNSSEC?   8611
INSECURE       58860
SECURE         6286
unknown        7899

When doing that, looks like all is OK. Thx.

pi@pdns:~ $ pihole-FTL sqlite3 -header -column /etc/pihole/pihole-FTL.db "SELECT CASE dnssec \
WHEN 0 THEN 'unknown' \
WHEN 1 THEN 'SECURE' \
WHEN 2 THEN 'INSECURE' \
WHEN 3 THEN 'BOGUS' \
WHEN 4 THEN 'ABANDONED' \
ELSE '?non-DNSSEC?' \
END AS dnssec_status, count(domain) FROM queries \
WHERE STATUS == 3 \
GROUP BY dnssec_status;"
dnssec_status  count(domain)
-------------  -------------
INSECURE       1237         
SECURE         25           
unknown        8683

A few thoughts:

  1. When you click the "cached" link on the dashboard, you aren't actually inspecting the cache. You see a filtered output of the query log, showing only those queries that were answered from cache. The query log shows the most recent 24 hours, and what you see is not indicative of the cache contents at any specific time.

  2. The SQL commands you are running search your entire query database (long term database), which has data back as far as 365 days (the default duration for retaining entries).

  3. For the specific case of the query log, it could be that the TTL's for the queries with SECURE replies happen to be shorter than TTLs for other queries. The shorter the TTL (time to live), the less likely that a domain will be in cache when it is queried a second time. The cache in Pi-hole will retain IPs for the duration of the TTL.

  4. Unbound is the software doing the DNSSEC validation in your setup. Enabling the DNSSEC feature in Pi-hole adds the column in the query log for DNSSEC and retains the DNSSEC status in the query database, but by the time the reply gets to Pi-hole, unbound has already done the DNSSEC authentication.

Thanks, useful info. Re. 4, since I then see SECURE/INSECURE status, it confirms Unbound DNSSEC is working fine. So, I guess I can just disable DNSSEC in PiHole? I do not see a need to get into the log and check DNSSEC status.

Yes.