- edited description
With dnscrypt_proxy DNSSEC:YES the manual option 'Enable DNSSEC support' should be disabled completely
Issue #302
invalid
The ‘Enable DNSSEC support' option and the description in the help section in Advanced>DHCP/DNS/… are a bit misleading in my opinion.
The help text says ‘Make sure your WAN/ISP/Stubby/dnscrypt-proxy DNS are DNSSEC-compatible, otherwise DNS lookups will always fail.’
When dnscrypt_proxy is enabled and (DNSSEC:YES …) is available as far as i can tell the dnscrypt_proxy is doing DNSSEC validation.
In fact when you also set 'Enable DNSSEC support' all domains with DNSSEC configured will not load. (e.g. debian.org or torproject.org)
So i propose it should not be possible to enable this option when dnscrypt_proxy is enabled as DNS service.
Comments (4)
-
reporter
-
repo owner
- changed status to invalid
You have missed something, because dnscrypt_proxy works with enabled DNSSEC with these two mentioned by you domains as it should.
-
reporter
Have you set Priority to ‘No-Resolv’? This is when it doesn’t work for me.
With Strict-Order DNSMasq takes over on these domains in second instance and resolves with DNSSEC and DNS Servers i got with DHCP
-
repo owner
I’m only using ‘No-Resolv' with stubby or dnscrypt_proxy to avoid uses of other dns servers than these ones from stubby/dnscrypt_proxy (it was even discussion about this, to remove possibility to change to something different than 'No-Resolv’ in case of using stubby/dnscrypt_proxy).
BTW, for test I used adguard-dns (DNSSEC:yes NOLOGS:yes).
- Log in to comment
