Possible to change DNSSEC trust anchor?


I’m using OpenNIC servers upstream, and due to the nature of their service (custom additional TLDs) they have a custom DNS root that’s signed with their own key. Of course even though they have DNSSEC, I can’t validate it with Pi-hole since it’s presumably expecting ICANN’s trust anchor.

Is there a way to manually change that trust anchor so DNSSEC validation would work? I’m looking to use this key:

root@nyc1:~# dig . DNSKEY @ +short
257 3 8 AwEAAaq+qqsdDHByq/DFR5/u23qcDNOQJzjYBcSfjrGNLdY2+vY+ubhu iz0hG1xk5D+dK78Eh58wZ3tQnsRr3bVNVfcovlx/rdwuw5blez2TT0Et 4IF/3b/RpMpCwSSOWTMGvi0EwIMNsjYWEZlRjcWku3cnAAvSD3YdaRW2 JCKsbkK5OQp2YjuQgIOL7J6f8mN6nkfAWd9L2U9H+TSEnx8gqqkXIEIR WcbdWN1FiCdy3L8CaHbZcttzx5lLOGrjPW+raXn+KaQSU+WW9n2PPOZb NUrQnsW/DJ+b+soNQQbhwFlp/av5VzaxB7/57vEKqj71x+Xu8S0sGpLc Xrkf5p3ri93ScLsJOT11fIlMRIwcKsWZEIIyYzuQeq8MoVTenvN6re/y 872Vb6JBHbBMk0JmsRwkXltz9PINWyvVyqM3PA1bJ4fz8QbqXnTnJiR/ yylhcE8rjPUtnf29NyDN7Co9JzPwnwE74F3k3R18w45L8E5Dt5it2PIA 9/rb6GDMrPAPsa1X82qNLzcboosMj9vT7Ofg8M+x2/VYt6u4xX4glZRa vyjTs6qGfzFS+Z44zrIP4CtNa0fL0AwJ/wsK4YJSX0xZ6/CJI/NNXeSg G5vfMw04kUDI9d9oO9jkAhYDmTaOI6C5nVTymAs3uje8/mZlo/pUSllB 0DkpTgd5PTAwQsA1
256 3 8 AwEAAaZnbL4yf5OZKLi/tjNBLKUwLuxhyvhildx0Efb/nMlRrCgafhCD 8A8tZkQLMQjQDu5Uckk/M1wCY5U8A9yvOapWMHx3S9dnFSvp4CFWitvo QYDJIMMooNGdYpljzKtR52wPdUpcqvSRwpp9a4gsoEx/r4jY9vyrT/SO 7yQuhh4uVKtZeHcXl/w2V14zVNUBoDl3SlSYIkVBa2HzponOsDlqJN6V QbZQ4mbvpnvbWOq55E/1pzIIrwp0X2VxSunhU/sGKpfiW9c5O6mPwUGl 1NDeYzycNKGy2Nsx4p4nkN43rRwjDBtD4CSUiTwtsMFTF5xKAbuUgSds BAQMyTnokYs=

Add OpenNIC DNS Servers

The trust anchor is set in /etc/dnsmasq.d/01-pihole.conf. Since this file is subject to modification on updates, you may want to try creating an /etc/dnsmasq.d/02-trustanchor.conf with the proper anchor record.

Something similar to https://forum.manjaro.org/t/dnssec-trust-anchor-issue-with-dnsmasq-when-using-opennic-dns/32853


I’ve changed this to a Feature Request as more users might want to see this going into Pi-hole by default. @DanSchaper do you agree that this would be harmless?


Completely harmless, if it’s an established trust anchor record and one that would be needed for OpenNIC it would couple with the Feature Request to support OpenNIC. Would just be a third trust anchor record in the configuration.


I was going to mention this in the op but I forgot. I’m using FTLDNS, does that change any of the configuration?


No, it uses the same configuration files, it’s based on dnsmasq just with some additional code and some fixes to things. We kept with the same base so that there wouldn’t be a big change that power users of dnsmasq would have to redo their setups.


I wasn’t actually able to get it working with that configuration. All you have to do is add that file right? Could be related to my upstream DNS servers though, I’ll have to test it more when I get back to a computer.

root@nyc1:~# cat /etc/dnsmasq.d/02-trustanchor.conf


That should be enough, if FTLDNS is running, then the configuration is accepted by the daemon. If there was a conflict then the daemon would not start as it validates the configuration files before running. That will not check the validity of the record hash value, so if there was an issue there, like an old record or a typo, then it would not be caught by the checker.


I got it working with the configuration posted above. It ultimately seems to have been an issue with the upstream servers I was using, I’ll have to investigate further later, but I just spun up my own for now. Thanks for the help :slight_smile:

closed #10

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.