Pi-Hole/dnsmasq
1
0
Fork 0
mirror of https://github.com/pi-hole/dnsmasq.git synced 2025-12-19 18:28:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add warnings and caveats for --proxy-dnssec.

Browse Source
This commit is contained in:
Simon Kelley
2020-01-05 21:58:00 +00:00
parent 378fa56888
commit 91102ad5eb
1 changed files with 5 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
man/dnsmasq.8
View File

@@ -771,9 +771,12 @@ over system restarts. The timestamp file is created after dnsmasq has dropped ro
unprivileged user that dnsmasq runs as. unprivileged user that dnsmasq runs as.
.TP .TP
.B --proxy-dnssec .B --proxy-dnssec
Copy the DNSSEC Authenticated Data bit from upstream servers to downstream clients and cache it. This is an Copy the DNSSEC Authenticated Data bit from upstream servers to downstream clients. This is an
alternative to having dnsmasq validate DNSSEC, but it depends on the security of the network between alternative to having dnsmasq validate DNSSEC, but it depends on the security of the network between
dnsmasq and the upstream servers, and the trustworthiness of the upstream servers. dnsmasq and the upstream servers, and the trustworthiness of the upstream servers. Note that caching the
Authenticated Data bit correctly in all cases is not technically possible. If the AD bit is to be relied upon
when using this option, then the cache should be disabled using --cache-size=0. In most cases, enabling DNSSEC validation
within dnsmasq is a better option. See --dnssec for details.
.TP .TP
.B --dnssec-debug .B --dnssec-debug
Set debugging mode for the DNSSEC validation, set the Checking Disabled bit on upstream queries, Set debugging mode for the DNSSEC validation, set the Checking Disabled bit on upstream queries,