dnsmasq: enable DNSSEC build option by default

[uhohspaghetios]

I see no reason dnsmasq should not be built with DNSSEC support.
https://www.icann.org/resources/pages/dnssec-what-is-it-why-important-2019-03-05-en

At present even when forwarding DNS requests to, for example, 9.9.9.9 or 1.1.1.1 caching nameservers with DNSSEC support, the result on the local network is no DNSSEC protection.

For example, if you try to get an IP using dig or any other method of dnssec-failed.org, it should not return a ping because the DNSSEC is signed with an invalid key. If your system returns an IP address for this domain name, you are at risk of DNS poisoning.

[piekay]

Dnsmasq is already being compiled with DNSSEC support. It just isn't enabled by default. See #41786. I am not entirely sure if it's worth it to enable DNSSEC by default and potentially breaking somebodys workflow

[uhohspaghetios]

I am going to disagree with you there. I get this error when setting the dnssec option in dnsmasq.conf

% doas dnsmasq -u dnsmasq -g dnsmasq

dnsmasq: unsupported option (check that dnsmasq was compiled with DHCP/TFTP/DNSSEC/DBus support) at line 6 of /usr/share/dnsmasq/trust-anchors.conf

My dnsmasq.conf file:

conf-file=/usr/share/dnsmasq/trust-anchors.conf
dnssec
strict-order
no-resolv
server=::1#53000
listen-address=::1
no-dhcp-interface=::1
bind-interfaces
no-hosts
cache-size=1000

I took a look at the template file. I see the build option to build with DNSSEC support, but apparently that is not happening.

From the template:

build_options="dnssec"
desc_option_dnssec="Enable DNSSEC support via nettle"

What calls that build option to be set?

[classabbyamp]

https://github.com/void-linux/void-packages#build-options