Open mfeller2000 opened 7 months ago
What do you mean by “private” here? This doesn't seem to be about the Private rDNS upstream feature.
What are 10.0.50.2 and 10.0.50.4? AdGuard Home doesn't validate DNSSEC itself, but merely sends the AD flag to the upstream, as documented in the UI.
Do you see incoming queries on these servers and if so, do they have AD flag set?
By "private" I mean that these DNS servers are only accessible within the network where AdGuard is located. So no outside recursive DNS server can query them. 10.0.50.2 and 10.0.50.4 are the DNS servers for int.XXXXXX.re.
If AdGuard doesn't do the validation itself. I guess this issue can be closed then.
Also as a workaround, I just put a unbound resolver in front of AdGuard, where the unbound takes care of redirecting the int.XXXXXX.re to 10.0.50.2 and 10.0.50.4. In this setup, AdGuard correctly shows that DNSSEC is validated and the AD flag is set.
Prerequisites
[X] I have checked the Wiki and Discussions and found no answer
[X] I have searched other issues and found no duplicates
[X] I want to report a bug and not ask a question or ask for help
[X] I have set up AdGuard Home correctly and configured clients to use it. (Use the Discussions for help with installing and configuring clients.)
Platform (OS and CPU architecture)
Linux, AMD64 (aka x86_64)
Installation
GitHub releases or script from README
Setup
On one machine
AdGuard Home version
0.107.44
Action
Execute a dig command:
root@jupyter:~# dig @10.0.30.2 jupyter.int.XXXXXX.re +dnssec
.While the IP address 10.0.30.2 is the AdGuardHome DNS server
Expected result
jupyter.int.XXXXXX.re should have the ad (authenticated data) flag set and should show in AdGuardHome that it has been validated.
Actual result
Missing AD (Authenticated Data) flag
DNSSEC not validated in AdGuardHome
Running delv for jupyter.int.XXXXXX.re works and validates fine:
Additional information and/or screenshots
The upstream DNS servers are configured as follows:
The nameservers 10.0.50.2 and 10.0.50.4 are internally accessible only.
DNSSEC validation is enabled under DNS Settings in AdGuardHome