The Dnsmasq section suggests installing with:
brew install dnsmasq --with-dnssec
Homebrew dropped support for build options like --with back in 2018. Running this command today either throws a warning and ignores the flag entirely, or errors out depending on your Homebrew version. Either way, DNSSEC support is not actually enabled.
To enable DNSSEC with dnsmasq you need to do it through the config file instead. After a plain brew install dnsmasq, add the following to your dnsmasq.conf:
dnssec
trust-anchor=.,20326,8,2,AA39314560575EBB39AE33D5E79CAAB7B4DFB9A3A1AA47B985B0F6E77766B5C8
The trust anchor above corresponds to KSK-2017 (key tag 20326), which is currently active per https://www.iana.org/dnssec/files. Note that a rollover to KSK-2024 (key tag 38696) is scheduled for October 2026, so this will need updating then or better yet, just point readers to the IANA page directly rather than hardcoding the value.
Would be happy to submit a PR if the fix looks good to maintainers.
The Dnsmasq section suggests installing with:
Homebrew dropped support for build options like --with back in 2018. Running this command today either throws a warning and ignores the flag entirely, or errors out depending on your Homebrew version. Either way, DNSSEC support is not actually enabled.
To enable DNSSEC with dnsmasq you need to do it through the config file instead. After a plain
brew install dnsmasq, add the following to yourdnsmasq.conf:The trust anchor above corresponds to KSK-2017 (key tag 20326), which is currently active per https://www.iana.org/dnssec/files. Note that a rollover to KSK-2024 (key tag 38696) is scheduled for October 2026, so this will need updating then or better yet, just point readers to the IANA page directly rather than hardcoding the value.
Would be happy to submit a PR if the fix looks good to maintainers.