Problems with DNSSEC, Pi-hole run in docker, no unbound installed

Hi, I'm running Pi-hole via a Docker container. I'm not using unbound, instead I'm upstreaming to Cloduflare. I've tried to enable the "Use DNSSEC" option from the web ui settings page but whenever I turn that on no address can be resolved. Turning that off restores normal behaviour e.g. addresses get correctly resolved and I can surf the internet ok. As my newbie on Pi-hole maybe I misunderstood it and using unbound as a recursive DNS server is a requirement to get DNSSEC to work ok in Pi-hole?

Update#1 - Posting my (very simple) compose.yaml as suggested by deHakkelaar

services:
  pihole:
    container_name: pihole
    image: pihole/pihole:latest
    ports:
      - "53:53/tcp"
      - "53:53/udp"
      - "81:80/tcp"
    environment:
      TZ: 'Europe/Rome'
    volumes:
      - './etc-pihole:/etc/pihole'
      - './etc-dnsmasq.d:/etc/dnsmasq.d'
    restart: unless-stopped

Expected Behaviour:

I'd expect DNS resolution to work ok

Actual Behaviour:

Resolution for any public address fails with the following error:

validation is ABANDONED

Debug Token:

https://tricorder.pi-hole.net/rkvYDzPO/

With DNSSEC, always make sure date/time on the host is not too far off!

Thanks - I think time settings are good, I assume the docker container syncs with the underlying system in which case I can confirm time settings on the underlying system are ok

1 Like

It could help if you post the Docker compose file or run command in your original posting?

1 Like

Any clue anyone? Did some further testing but no luck. As soon as I enable DNSSEC it becomes impossible to resolve any public address