Once upon a time, Lennart Poettering <mzerqung(a)0pointer.de> said:
Again, we do not support DNSSEC from client to the stub. If you set
CD
we'll return NOTIMP as rcode, indicating that. We do not implement a
full DNS server, but just enough for local stub clients (such as the
one implemented in glibc or Java) to work. If you want the full DNSSEC
client stuff, talk directly to the upstream DNS server.
If you want to go in /etc/resolv.conf, you need to be a full resolver.
There's no telling what programs expect to be able to talk the full DNS
protocol to the "nameserver" lines from /etc/resolv.conf (for example,
the perl Net::DNS module gets its servers from there by default, so all
kinds of perl scripts could break). dnsmasq defaults to using resolvers
from /etc/resolv.conf too IIRC.
If you want to be a resolver, be an actual resolver, and in 2020, that
includes implementing EDNS0, DNSSEC, etc.
--
Chris Adams <linux(a)cmadams.net>