I agree, DNSSEC support should surely be transparently ‘on’, or ‘off’.
Catering for various resolvers apparent inability to implement DNSSEC properly can only end in tears.
Just my 10 cents worth....
Especially as not using strict mode means DNSSEC might not be working at all, and one wouldn't even know it...
I originally added it on my fork to be able to 'set' the option, exactly for the reasons you said. Now I consider it more of a diagnostic tool that should not be left disabled. (i.e. you can disable it, run a check on a DNSSEC test site to make sure DNSSEC is working, and it is indeed just a specific site or sites that are failing).
I also improved the logging of invalid DS replies, this will probably be even more useful as a debugging tool, so people will be able to tell who to point the finger at if things don't work properly. I suspect that in most cases, the fault lies with the domain, not with dnsmasq.
Too bad nslookup doesn't report the response flags, otherwise a simple test could have been implemented in the firmware. fwupdate.lostrealm.ca should have the AD flag set when using a working DNSSEC resolver. Using dig:
Right:
Code:
merlin@ubuntu-dev:~$ dig fwupdate.lostrealm.ca @192.168.10.1
; <<>> DiG 9.11.3-1ubuntu1.1-Ubuntu <<>> fwupdate.lostrealm.ca @192.168.10.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35551
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;fwupdate.lostrealm.ca. IN A
;; ANSWER SECTION:
fwupdate.lostrealm.ca. 300 IN A 104.27.144.248
fwupdate.lostrealm.ca. 300 IN A 104.27.145.248
;; Query time: 76 msec
;; SERVER: 192.168.10.1#53(192.168.10.1)
;; WHEN: Fri Aug 17 15:33:47 EDT 2018
;; MSG SIZE rcvd: 82
Wrong:
Code:
merlin@ubuntu-dev:~$ dig fwupdate.lostrealm.ca @4.2.2.2
; <<>> DiG 9.11.3-1ubuntu1.1-Ubuntu <<>> fwupdate.lostrealm.ca @4.2.2.2
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10743
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 8192
;; QUESTION SECTION:
;fwupdate.lostrealm.ca. IN A
;; ANSWER SECTION:
fwupdate.lostrealm.ca. 55 IN A 104.27.145.248
fwupdate.lostrealm.ca. 55 IN A 104.27.144.248
;; Query time: 23 msec
;; SERVER: 4.2.2.2#53(4.2.2.2)
;; WHEN: Fri Aug 17 15:33:52 EDT 2018
;; MSG SIZE rcvd: 82