Pi.hole DS/DNSKEY query


Since I have updated to the beta, I got every few seconds a type DNSKEY/DS from cliënt pi.hole to my localhost#5353 (who is my unbound):

Is this normal?


Only have this behaviour when I enable DNSSEC in the settings
Or is this normal and I never noticed this? :thinking:

These queries are indeed related to DNSSEC, not only are they normal, they are required. They have always been there when DNSSEC was enabled, but were hidden from view. Now in the beta they are exposed to the user. You can hide them again by adding SHOW_DNSSEC=false to /etc/pihole/pihole-FTL.conf.

The Delegation Signer DS in the parent zone points towards the DNSKEY in the child zone and tells the questioning resolver in this way that the child zone is authenticated via DNSSEC. That DNSKEY is then what validates any other record in the child zone. This way you can be sure the resource record that you get is really the real deal and not forged by a malicious third party.
Consider looking for the A record of www.example.com, the DS record in the root zone (.) validates the DNSKEY record in the com. zone. A DS record in the com. zone then validates a DNSKEY in the example.com. zone and that DNSKEY is what validates the A record for www.example.com. Quick visualization here:

A missing DS record means there is no way to validate the authenticity of any potential DNSKEYs in the child zone and the zone is thus is considered insecure.

And Cloudflare has page dedicated to how DNSSEC works here:


We drafted a blog post about how DNSSEC works and how to interpret what you are seeing in the Query Log with these now shown query types. We plan to publish it a few days after we released what is currently in the beta so it is useful for more people.