So I have my own DNS resolver running Bind9 with dnssec enabled but whenever I toggle "Use DNSSEC" in pihole it completely breaks all DNS resolutions even though I can see DNSSEC working by doing a dig on my own domain that has it enabled.

This is the last thing I needed to fix to get off of Cloudflare's DoH tunnel and relying on my own servers.

@eleix 🤔 does it break all DNSSEC resolutions? Did you check your traffic between PiHole and NS and between client PC and PiHole with something like Wireshark?

@L1Cafe Yep all resolutions just flat out die but with the toggle off work perfectly fine. Was just about to do that but held off just in case it was something simple in the config I was missing.

@eleix It wouldn’t be the first time I’d fix a configuration mistake just by doing a simple Wireshark capture.

Last time I helped a coworker fix their TFTP configuration through a packet capture. It helped because his TFTP client didn’t exactly give out particularly informative error messages.

I don’t know much about PiHole but I’ll try to help if you’re still not sure 🤗

@L1Cafe Thanks. Though I'm wondering if maybe it's somewhat related to the OpenNIC config I have on the same server. It's running as a T2. If I do a dig on "." it returns the ns0.opennic.glue. I'm not using any forwarders ether. But I'm assuming if I can resolve hosts without forwarders then something has to be working right?

@eleix Not sure if I understand the situation correctly. Non DNSSEC queries work fine? I suppose I would first try using something that’s not OpenNIC. Maybe that’s the problem?

@L1Cafe Let me remove the opennic config and see what happens. It's not a listed opennic server so I'm not worried about breaking anyone's DNS queries other than my own :P

@L1Cafe Yep, that was it. Apparently having OpenNIC on the "." record will break DNSSEC resolutions. Setting it to the ICCAN root hints and enabling DNSSEC in pihole got things working.

@eleix OpenNIC does some non standard stuff, isn’t it?

@L1Cafe Namely just for resolving non-ICAAN names like .pirate, .fur, .geek to name a few and is entirely user run. But yeah, whole point is to take what ICCAN does with the root servers and give that control back to the people.

@L1Cafe Can quickly feel the difference though. I was expecting the slower resolutions but I'll have to adjust my local cache settings on the Pihole because without using any forwarders I'm quickly running into moments where some websites take that extra couple of seconds to resolve and timing out at times.

@eleix I should really get a PiHole, so many people recommend it 🤔