I'l like to follow up on this question: Disable DNSSEC for specific domains?
I'm running a local
unbound DNSSEC-validating server. It is also configured to forward local forward/reverse lookups to the router's
dnsmask server. This is done by specifically specifying the zones are not dnssec-secured (
So I can disable DNSSEC and everything works, bad zones are not resolved, local zones are, all good. But I would liks to also be able to configure LAN clients to trust the pi-hole resolver by having it forward the validation flag (
The issue is that
pihole-FTL does not forward the flag with DNSSEC disabled, and does not forward the un-validated local responses (lacking the flag) with DNSSEC enabled.
If there's no plan on allowing insecure zones, there could at least be an option to forward DNSSEC trust data without validating it, so a local resolving cache could still be used and pass on the domains + flags, and client configured to trust pi-hole would be able to tell if DNS data was signed (which I think could at least be useful to automatically trust ssh keys with signed fingerprints in DNS).