I use dnsmasq on my OpenWrt-based travel router, and generally it works great.
I want to enable DNSSEC validation for a domain that I operate, and to do that
I've installed a trust anchor for the domain and configured a 'server' entry to
route requests for that domain to a recursive resolver that I run (over a
Wireguard VPN).
Unfortunately when the 'general' usptream resolvers provided by the
hotel/airplane/etc. don't provide RRSIG in their responses, I have to disable
the global 'dnssec' setting in dnsmasq, otherwise all DNS resolution is broken.
My ideal configuration would be to have DNSSEC validation disabled globally,
but enabled specifically for the one domain where I've provided a trust anchor
and upstream server (separate from the ones provided by the DHCP client).
Can anyone suggest a configuration which might accomplish this? Would removing
the root trust anchors solve this issue?
_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
