The issue I am facing:
- I own a real domain.
- I'm running Pi-Hole and CoreDNS within my LAN, with CoreDNS configured as the upstream resolver for Pi-Hole.
- CoreDNS serves a zone for my domain containing
A
records pointing to internal IP addresses. It's configured to sign this zone with DNSSEC keys I've generated and saved, then to serve the signed zone file. It forwards requests for any other zone to Cloudflare's public resolver. - DNSSEC is enabled in Pi-Hole.
- At my registrar, the nameservers for my domain point to Cloudflare and in Cloudflare I have records pointing to public IP addresses (the idea is that
mydomain.com
should resolve to a public IP address in general, but should instead resolve to a LAN IP address for clients within my LAN). DNSSEC is also enabled in Cloudflare and multipleDS
records corresponding to the key used by Cloudflare and the key used by my private internal zone are both present at my registrar. - Although queries which are forwarded to Cloudflare are working fine and the responses for my domain look correct when I query CoreDNS directly (e.g. with
dig
), queries to Pi-Hole for my domain returnSERVFAIL
and in Pi-Hole's logs I seevalidation mydomain.com is ABANDONED
. - The public part of the setup also works fine (I can resolve my domain to the public IP addresses without issue if I'm outside my LAN).
- Also, if I disable DNSSEC in Pi-Hole, everything works. So the issue is definitely specific to Pi-Hole validating DNSSEC.
The setup:
Zone file:
$ORIGIN mydomain.com.
mydomain.com. 300 IN SOA mydomain.com. root.mydomain.com. 2274749221 10000 2400 604800 3600
mydomain.com. 300 IN NS mydomain.com.
$INCLUDE keys/Kmydomain.com.+<...>.key
$INCLUDE keys/Kmydomain.com.+<...>.ds
@ IN A 192.168.0.2
* IN CNAME @
CoreDNS Corefile
:
mydomain.com {
file db.mydomain.com.signed
sign mydomain.com.zone {
key file keys/Kmydomain.com<...>
directory .
}
errors
log
}
. {
any
forward . tls://1.1.1.1 tls://1.0.0.1 {
tls_servername cloudflare-dns.com
}
errors
log
}
As mentioned, if I query CoreDNS I receive the records as expected, containing the RRSIG
s. But Pi-Hole's logs show:
Apr 8 12:09:57 dnsmasq[469]: query[A] mydomain.com from <Some client IP>
Apr 8 12:09:57 dnsmasq[469]: forwarded mydomain.com to <CoreDNS IP>
Apr 8 12:09:57 dnsmasq[469]: dnssec-query[DS] mydomain.com to <CoreDNS IP>
Apr 8 12:09:57 dnsmasq[469]: validation mydomain.com is ABANDONED
Apr 8 12:09:57 dnsmasq[469]: reply mydomain.com is 192.168.0.2
I'm really not sure why Pi-Hole is abandoning the validation. CoreDNS logs NOERROR
for the A
and DS
queries and indeed, if I query it directly, I get the DS record as expected. Is there a way to get more info from Pi-Hole about what is causing it to abandon the validation? Or is there something obvious I might be missing?
Thanks!