From 07e605e9f4df2aec144ea21e81579b3db4fa3bb1 Mon Sep 17 00:00:00 2001 From: Frank Denis Date: Mon, 16 Dec 2019 17:23:22 +0100 Subject: [PATCH] Add a note about dnsmasq In the config file, so that it has more visibility than in the doc. Synthetic responses cannot contain NSEC or RRSIG records, and that seems to be confusing dnsmasq. --- dnscrypt-proxy/example-dnscrypt-proxy.toml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/dnscrypt-proxy/example-dnscrypt-proxy.toml b/dnscrypt-proxy/example-dnscrypt-proxy.toml index 463f5fdf..7e83b9be 100644 --- a/dnscrypt-proxy/example-dnscrypt-proxy.toml +++ b/dnscrypt-proxy/example-dnscrypt-proxy.toml @@ -258,11 +258,15 @@ log_files_max_backups = 1 # Filters # ######################### +## Note: if you are using dnsmasq, disable the `dnssec` option in dnsmasq if you +## configure dnscrypt-proxy to do any kind of filtering (including the filters +## below and blacklists). +## But you can still choose resolvers that do DNSSEC validation. + + ## Immediately respond to IPv6-related queries with an empty response ## This makes things faster when there is no IPv6 connectivity, but can ## also cause reliability issues with some stub resolvers. -## Do not enable if you added a validating resolver such as dnsmasq in front -## of the proxy. block_ipv6 = false