I'm using OpenNIC servers upstream, and due to the nature of their service (custom additional TLDs) they have a custom DNS root that's signed with their own key. Of course even though they have DNSSEC, I can't validate it with Pi-hole since it's presumably expecting ICANN's trust anchor.
Is there a way to manually change that trust anchor so DNSSEC validation would work? I'm looking to use this key:
The trust anchor is set in /etc/dnsmasq.d/01-pihole.conf. Since this file is subject to modification on updates, you may want to try creating an /etc/dnsmasq.d/02-trustanchor.conf with the proper anchor record.
I've changed this to a Feature Request as more users might want to see this going into Pi-hole by default. @DanSchaper do you agree that this would be harmless?
Completely harmless, if it's an established trust anchor record and one that would be needed for OpenNIC it would couple with the Feature Request to support OpenNIC. Would just be a third trust anchor record in the configuration.
No, it uses the same configuration files, it's based on dnsmasq just with some additional code and some fixes to things. We kept with the same base so that there wouldn't be a big change that power users of dnsmasq would have to redo their setups.
I wasn’t actually able to get it working with that configuration. All you have to do is add that file right? Could be related to my upstream DNS servers though, I’ll have to test it more when I get back to a computer.
That should be enough, if FTLDNS is running, then the configuration is accepted by the daemon. If there was a conflict then the daemon would not start as it validates the configuration files before running. That will not check the validity of the record hash value, so if there was an issue there, like an old record or a typo, then it would not be caught by the checker.
I got it working with the configuration posted above. It ultimately seems to have been an issue with the upstream servers I was using, I'll have to investigate further later, but I just spun up my own for now. Thanks for the help