DNSSEC validates DNS replies and cache DNSSEC data. When forwarding DNS queries, dnsmasq requests the DNSSEC records needed to validate the replies. The replies are validated, and the result returned as the Authenticated Data bit in the DNS packet. In addition, the DNSSEC records are stored in the cache, making validation by clients more efficient. Note that validation by clients is the most secure DNSSEC mode, but for clients unable to do validation, use of the AD bit set by dnsmasq is useful, provided that the network between the dnsmasq server and the client is trusted. The nameservers upstream of dnsmasq must be DNSSEC-capable—that is, capable of returning DNSSEC records with data. If they are not, dnsmasq is not able to determine the trusted status of answers, and this means that DNS service is entirely broken
To enable DNSSEC, use the following command:
enable dns cache {dnssec}
To disable DNSSEC, use the following command:
disable dns cache {dnssec}
To show DNSSEC status, use the following command:
show dns cache configuration {{vlan} vlan_name | {vr} vr_name}