How do I interperet the DNSSEC column in the query log?


As of Pi-hole 3.3, you can see the DNSSEC status in the query log.

  • SECURE are records that have been signed and verified to be unchanged from the authoritative DNS server
  • INSECURE are records that either have no signature or DNSSEC is not implemented for the domain; either the domain is unsigned and not implementing DNSSEC or there are other issues
  • BOGUS are records that have been signed but have changed or been altered from the authoritative DNS server

You will see INSECURE, but that does not mean a bad record–just has not been implemented. BOGUS records are something to look at, either they have been altered in transit or the domain maintainer has not updated the records correctly. At present, 90% of the records you see will be INSECURE as there is not a lot of DNSSEC uptake currently.

If you see BOGUS on a test for a known bad record then things look like they are configured correctly. As more domains move to utilizing DNSSEC the INSECURE will tend to fade away, but we are a long ways away from full adoption of the technology.

DNSSEC not working?
DNSSEC & DNS.WATCH ohne funktion
Strange behaviour when sending emails
Insecure notation re: dns
DoH Using Cloudflare