I use NextDNS.io for DNS filtering on different devices, to be able to protect my family about ads and other non expected content wherever they are (home or away from home). So I set NextDNS dns as DNS upstream. So far so good.
But as NextDNS do some content filtering and already does DNSSEC validation, it sometimes lead to troubles at IPFire level (I use IPFire 2.25 v157).
For ex, resolution of duckduckgo.com failed as I enforced safesearch as NextDNS level.
I see such messages at ipfire level:
18:40:30unbound: [18949:0]info: validation failure <www.duckduckgo.com. A IN>: DS got unsigned CNAME answ er from 220.127.116.11 and 18.104.22.168 for DS duckduckgo.com. while building chain of trust
If I edit
/etc/unbound/unbound.conf to disable DNSSEC trust directive, it will work but I think I’ll have to edit again after next ipfire update.
So is there a better way to disable dnssec validation or to disable it only for the concerned upstreams dns servers ?
Thanks and have a good day !