EDE information missing from reply to upstream

[jpgpi250]

Describe the bug
Asked this question in the unbound mailing list (https://lists.nlnetlabs.nl/pipermail/unbound-users/2023-April/008069.html).
George (Yorgos) Thessalonikefs answered this is possible by using "EDE codes for DNSSEC validation failures to the SERVFAIL answers".

The FTL developer has added code to evaluate these codes, however, the results are inconsistent.

After investigating this, it turns out the EDE codes are NOT always present in the reply, the pi-hole topic has an attachment whith extended logging from pihole-FTL (= dnsmasq) and a pcap file that clearly shows the missing EDE information. The pi-hole topic, start reading from here: https://discourse.pi-hole.net/t/dnssec-discussion-support-for-proxy-dnssec/62217/17

The pcap file and log is found in the next entry (18)

To reproduce
run unbound with "ede: yes", check the replies from unbound -> downstream.

• dig www.dnssec-failed.org (on linux host) -> OK
• browse (Microsoft Edge or Firefox) to www.dnssec-failed.org -> fail

Expected behavior
return EDE information for all queries, if available.
the strange thing is it works (EDE is returned) for dig requests (dig A www.dnssec-failed.org and dig AAAA www.dnssec-failed.org), but fails when a browser is making the request (open www.dnssec-failed.org in Microsoft edge and / or Firefox)

System:

• Unbound version: 1.17.2 (compiled from GitHub source)
• OS: raspbian on raspberry pi 3B (Linux raspberrypi 6.1.21-v7+ #1642 SMP Mon Apr 3 17:20:52 BST 2023 armv7l GNU/Linux)
• unbound -V output:

Version 1.17.2
Configure line: --prefix=/usr --sysconfdir=/etc --disable-static --enable-tfo-client --enable-tfo-server --with-libevent --with-libhiredis --enable-cachedb --with-pidfile=/run/unbound.pid
Linked libs: libevent 2.1.12-stable (it uses epoll), OpenSSL 1.1.1n  15 Mar 2022
Linked modules: dns64 cachedb respip validator iterator
TCP Fastopen feature available

Additional information
The goal is to run pihole-FTL (= dnsmasq) with option proxy-dnssec. This appears to be working, but the EDE information isn't always present.

[jpgpi250]

is this (missing EDE information) related to this PR #802 (add validation EDEs to queries where the CD bit is set)?

edit
cloned master from GitHub and replaced mesh.c with the version from branch features/ede-with-cd-bit, make, make install. Same result, so this PR #802 doesn't solve this issue.
/edit

[jpgpi250]

This problem has been solved by adding code to pihole-FTL, which is the latest dnsmasq + features (to make pi-hole the better solution).
The PR (ready to be merged) can be found here:
pi-hole/FTL#1551
The conversation can be found here:
https://discourse.pi-hole.net/t/dnssec-discussion-support-for-proxy-dnssec/62217 (lots of trial and errors)
The summary (what is needed for both pi-hole and unbound to make it work) can be found here:
https://discourse.pi-hole.net/t/dnssec-discussion-support-for-proxy-dnssec/62217/36

[gthess]

I see that the issue is resolved and in your case it was dnsmaq and EDNS support.
There is another (known) issue that you probably won't stumble upon in your case (I assume that dnsmasq is used for cached answers to clients) and that is EDEs for Unbound's cached answers.
This will land on the next version with #759 and #790.

[jpgpi250]

When will these PRs be merged into github master, so I can compile with these improvements?

I'm getting unreliable / inconsistent results when using a browser (firefox / edge). dig always produces the correct result. running unbound with these improvements would exclude a possible cache problem...

caching: unbound +redis, dnsmasq cache-size=0

[churchofnoise]

Confirming what @jpgpi250 faces, also happening here.
Domains with known good DNSSEC config show this when using dig, yet not in the Pi-Hole interface when browsing to them.