Enabled DNSSec

[bassrock]

Switching to DNSSec dnsmasq package to support DNSSEC

[polarathene]

While DNSSEC is a nice feature, it's unclear if it should be offered by default, especially with dnssec-check-unsigned as that negatively impacts performance for anyone using the image that does not see value / interest in enabling DNSSEC.

Would it be better to switch the package, and provide the config snippet in the README instead so that users can configure DNSSEC if they want to enable it?

[polarathene]

You should provide context about such configuration values, they should not be trusted otherwise.

The trust-anchors seem legitimate(Gentoo wiki offers the exact same snippet), but rather than adding them inlined here, you should be doing it like this:

conf-file=/usr/share/dnsmasq/trust-anchors.conf
dnssec

dnssec-check-unsigned also looks useful.

Now some replies are not DNSSEC signed but may still be may be legitimate, because the domain is unsigned, or may be forgeries. This setting will have dnsmasq do some various checks to see if it’s still looks valid. Now this will take a few more dns lookups, but it’s good for security. - Source

As a default, dnsmasq does not check that unsigned DNS replies are legitimate: they are assumed to be valid and passed on (without the “authentic data” bit set, of course). This does not protect against an attacker forging unsigned replies for signed DNS zones, but it is fast. If this flag is set, dnsmasq will check the zones of unsigned replies, to ensure that unsigned replies are allowed in those zones. The cost of this is more upstream queries and slower performance. - Source

[jpillora]

See upgrade discussion here #24 Once upgraded, I'd consider releasing DNSSEC as a branch, with a corresponding tag