-
dnsmasq since 2.80 properly forwards all incoming queries with DO bit set. That ensures even if the dnsmasq does not do validation, it will always serve all DNSSEC records if the upstream server provides them. Regardless local validation is enabled or disabled, it will always offer all data required for validation to its clients. But does not set AD bit on local responses unless it did the actual validation itself. In case users trust their connection to validating DNS server, they would have to declare it by adding dnssec-proxy option to dnsmasq conf.d directory. Because there is no negated no-dnssec-proxy, it cannot be turned off. I think there is no good reason to be on for all cases and it would be possible to enable it if still wanted. Move the decision to the user. That makes it conform with RFC 4035, paragraph 3.2.3. Signed-off-by: Petr Menšík <pemensik@redhat.com> NetworkManager/NetworkManager!1639