I just noticed that Network Manager isn't using --proxy-dnssec for the local resolver.
Using this option is important for environments where the client (firefox or similar) is actively checking for the DNSSEC flags.
From dnsmasq's man page:
--proxy-dnssec
A resolver on a client machine can do DNSSEC validation in two ways: it
can perform the cryptograhic operations on the reply it receives, or it
can rely on the upstream recursive nameserver to do the validation and
set a bit in the reply if it succeeds. Dnsmasq is not a DNSSEC valida‐
tor, so it cannot perform the validation role of the recursive name‐
server, but it can pass through the validation results from its own
upstream nameservers. This option enables this behaviour. You should
only do this if you trust all the configured upstream nameservers and
the network between you and them. If you use the first DNSSEC mode,
validating resolvers in clients, this option is not required. Dnsmasq
always returns all the data needed for a client to do validation
itself.
As our dnsmasq should be as transparent as possible to the user, I believe doing dnssec passthrough is the right thing and will be important for some of our users.
Yes, we should probably turn this on by default.
I'm kind of curious why dnsmasq makes this an option that they don't turn on by default though...