mirror of
https://github.com/pi-hole/dnsmasq.git
synced 2025-12-19 10:18:25 +00:00
57f0489f38
This should just work in all cases now. If the normal chain-of-trust exists into the delegated domain then whether the domain is signed or not, DNSSEC validation will function normally. In the case the delgated domain is an "overlay" on top of the global DNS and no NS and/or DS records exist connecting it to the global dns, then if the domain is unsigned the situation will be handled by synthesising a proof-of-non-existance-of-DS for the domain and queries will be answered unvalidated; this action will be logged. A signed domain without chain-of-trust can be validated if a suitable trust-anchor is provided using --trust-anchor. Thanks to Uwe Kleine-König for prompting this change, and contributing valuable insights into what could be improved.