On Wed, 5 Jan 2022 16:36:40 +0100 Vincent Lefevre <vinc...@vinc17.net> wrote: ..
But I don't understand. The upstream nameservers are supposed to be used as a fallback. Even if upstream nameservers do not perform DNSSEC validation, this is still better than a failure when DNSSEC is not required.
For the record, this is incorrect, just like has been stated in #1004032 numerous times already. The upstream nameservers provided by DHCP were never supposed to be used as a "fallback", even more, there's no _notion_ of a "fallback" in this context. We EITHER use the DHCP-provided nameservers, OR we use the regular recursive way. But not both. I know no recursive resolver software which has notion of "fallback" like this. Thanks, /mjt
