Using beta, DNSSEC not showing up as working, but resolves as it should be

Please follow the below template, it will help us to help you!

Expected Behaviour:

DNSSEC should be showing up as insecure, secure, bogus.

Actual Behaviour:

Not showing up.

Debug Token:

siqihw8lu8

Additional: Using beta to use dnscrypt with pihole.

Where are you looking for the DNSSEC information? It is showing up in /var/log/pihole.log

I was looking at the UI query log under DNSSEC which is empty. Now that I"m looking there I can see it's working. Guessing it's bugged out when using dnscrypt?

I've tested dnscrypt-proxy v2 with both current and beta versions of pihole (see here). Turns out there are a lot of dnscrypt-proxy servers that don't handle DNSSEC very well.
Servers I found to handle DNSSEC correctly are:
'dnscrypt.eu-dk', 'dnscrypt.eu-nl', 'scaleway-fr', 'de.dnsmaschine.net', 'dnscrypt.me'

I haven't tested them all, but I'm convinced the 'd0wn' servers don't do very well.

I abandoned dnscrypt-proxy and I'm using the unbound solution, DNSSEC is handled by unbound.

1 Like

Test validationĀ¶
You can test DNSSEC validation using

dig sigfail.verteiltesysteme.net @127.0.0.1 -p 5353
dig sigok.verteiltesysteme.net @127.0.0.1 -p 5353
The first command should give a status report of SERVFAIL and no IP address. The second should give NOERROR plus an IP address.

I used this out of curiosity and it turns out it did exactly that. The DNSSEC is just not showing up in pihole UI then with dnscrypt

Will there be a beta update fixing this issue?

Do you see DNSSEC information in /var/log/pihole.log, or is that handled by dnscrypt

I see the DNSSEC info in pihole.log right now. I enabled it in dnscrypt as well as pihole UI. Is it supposed to be enabled in only one or the other?

If you want to see DNSSEC info, you need to enable it in Pi-hole so that FTLDNS gets that information.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.