bAndie91
commented
3 years ago @pkubaj , i observed that dqcache does not include the dnssec extension in the dns query, so most dnssec-enabled authoritative nameservers won't include RRSIG in the answer.
i don't know precisely how Unbound performs dnssec validation, but most probably it adds the EDNS dnssec extension to the query (additional section), which does not seem to go through dqcache. there could be other way to get the RRSIG, DNSKEY, and DS records: by querying them directly. but i'm afraid it is not very well supported; obiously it'd generate more traffic, so people tends to implement it in the EDNS-way. IMO it'd worth to explore this direct-query way, because if it works, you can have a "dnssec validator-only" forwarder, with which you can enrich any resolver by dnssec-capabilities.
also, dqcache delivers me DS and DNSKEY records when i query them directly, but segfaults on RRSIG.
I want to run dqcache as a forwarder for Unbound. Unbound is supposed to act also as a DNSSEC validator. Unfortunately, while dqcache resolves names properly and forwarding from Unbound works properly, when I enable DNSSEC in Unbound, it breaks.
I can also resolve names with Unbound and DNSSEC using other forwarders, so it's clearly something wrong with dqcache.