DonnyJohnny
Very Senior Member
Without the proxy-dnssec statement, the ad flag would be missing from dig output for example (at least it behaved that way in my testing)
Read the article. In this case the duty of dnssec validation is passed to our resolver (CF in this case) by using the proxy-dnssec.Dont think so...
Here is some good bedtime reading: https://labs.ripe.net/Members/willem_toorop/sunrise-dns-over-tls-sunset-dnssec
As I read that article, DoT and DNSSEC are needed together. It does not seem to matter if you use DNSSEC with Stubby or with dnsmasq. The security results should be the same. I have Asus routers working both ways. One on Merlin 384.7_2 with Stubby Entware and two on John's 36E9. Interesting that John's fork works well with Quad9 and my home router on Merlin does not like Quad9. I suspect it is my lousy DSL service at home!
As for now the girls are happy and oblivious to the added security for DNS. As long as the network stays up I have a happy home!
Then we do not need to enable router/stubby/dnscrypt-proxy dnssec validation as it would be wasting of system resources because cloudflare already done the validation. (Not sure of proxy-dnssec will override the system dnssec validation if dnssec validation is also enabled)
You may experience yourself that with proxy-dnssec enable, off your dnssec validation. You will still get the ad flag.
If you disable both dnssec validation and proxy-dnssec, then you will not get the ad flag as there is not validation done.
Based on the articles, i assumed dot/dns has created a secured path for dns traffic. So Long as cloudflare verified the dns request (dnssec), mean the dns forward to us is definitely correct and clean since it is in a secured path?