Skip to content
  • Petr Menšík's avatar
    dns/dnsmasq: do not use --dnssec-proxy by default · 6335e9de
    Petr Menšík authored and Thomas Haller's avatar Thomas Haller committed
    dnsmasq since 2.80 properly forwards all incoming queries with DO bit
    set. That ensures even if the dnsmasq does not do validation, it will
    always serve all DNSSEC records if the upstream server provides them.
    Regardless local validation is enabled or disabled, it will always offer
    all data required for validation to its clients.
    But does not set AD bit on local responses unless it did the actual
    validation itself.
    In case users trust their connection to validating DNS server, they
    would have to declare it by adding dnssec-proxy option to dnsmasq conf.d
    directory. Because there is no negated no-dnssec-proxy, it cannot be
    turned off. I think there is no good reason to be on for all cases and
    it would be possible to enable it if still wanted. Move the decision to
    the user.
    That makes it conform with RFC 4035, paragraph 3.2.3.
    Signed-off-by: default avatarPetr Menšík <>