The original post: /r/pihole by /u/tbkizle on 2024-11-14 08:08:07.
Hello, I was looking into setting up dns sec with my unbound + pi-hole setup and I seem to be running into a odd issue? I have it enabled as far as I can tell in unbound, but when I enable dnssec in pi-hole.
This is what I get for dig to unbound directly:
dig +dnssec u/127.0.0.1 -p 5335
; <<>> DiG 9.18.28-1~deb12u2-Debian <<>> +dnssec @127.0.0.1 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50659
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;dds.georgia.gov. IN A
;; ANSWER SECTION:
dds.georgia.gov. 30 IN A 104.18.75.48
dds.georgia.gov. 30 IN A 104.18.74.48
dds.georgia.gov. 30 IN RRSIG A 13 6 300 20241115085140 20241113065140 34505 cloudflare.net. 7oT9uOc0Txlvu8XJM1uQafbKsU45zP1nRjcXjhicb9h/sxAK7Fy7C7Cy eositizmkqPekfPcH5uewjnWSjvOfw==
;; Query time: 0 msec
;; SERVER: (UDP)
;; WHEN: Thu Nov 14 02:58:58 EST 2024
;; MSG SIZE rcvd: 186
but then with dig to pi-hole it shows SERVFAIL as previous query was Status dnssec BOGUS.
using https://wander.science/projects/dns/dnssec-resolver-test/ it says pass and
dig com. SOA +dnssec @127.0.0.1 -p 53
works fine, did I do something wrong?
Edit:
reading more online I also did this
"dig sigok.ippacket.stream should return an A record. Note the ad flag from the resolver (authenticated data = DNSSEC validation was successful).
dig sigfail.ippacket.stream should return a SERVFAIL error."
and as it states dig sigok.ippacket.stream did infact give an A record and the ad flag. dig sigfail.ippacket.stream resaulted in a SERVFAIL.