I was looking at the UI query log under DNSSEC which is empty. Now that I"m looking there I can see it's working. Guessing it's bugged out when using dnscrypt?
I've tested dnscrypt-proxy v2 with both current and beta versions of pihole (see here). Turns out there are a lot of dnscrypt-proxy servers that don't handle DNSSEC very well.
Servers I found to handle DNSSEC correctly are:
'dnscrypt.eu-dk', 'dnscrypt.eu-nl', 'scaleway-fr', 'de.dnsmaschine.net', 'dnscrypt.me'
I haven't tested them all, but I'm convinced the 'd0wn' servers don't do very well.
Test validationĀ¶
You can test DNSSEC validation using
dig sigfail.verteiltesysteme.net@127.0.0.1 -p 5353
dig sigok.verteiltesysteme.net@127.0.0.1 -p 5353
The first command should give a status report of SERVFAIL and no IP address. The second should give NOERROR plus an IP address.
I used this out of curiosity and it turns out it did exactly that. The DNSSEC is just not showing up in pihole UI then with dnscrypt