[SurprisedItWorks]

I'm not convinced that the DNSSEC option in the dnsmasq configuration section (gui>services>services) has any actual meaning. If "Validate DNS Replies (DNSSEC)" is enabled but "Check unsigned DNS replies" is not (say out of performance concerns), then a spoofed, unsigned response would not be identified as a problem.

Now suppose "Check unsigned DNS replies" is enabled as well and a dns reply arrives that is an unsigned spoof. In principle dnsmasq queries the upstream resolvers to see whether a signature appeared at any point and so discovers that a signature was later removed. But a well-programmed spoofing system could in principle spoof those responses as well and convince dnsmasq that the record was never signed at any point. If dnscrypt is enabled in the router, either through enabling "Encrypt DNS" in the GUI or using startup commands (needed in some routers/releases to avoid an ntp race condition), a response from the upstream resolvers could also be spoofed, as even if they are dnscrypt enabled, the router's dnscrypt configuration is not set up (behind-the-scenes certificate action) to work with them.

Yes, it'd be a complicated attack and no doubt unlikely, but isn't the whole purpose of DNSSEC (in the rare cases that sites use it) to protect from low-probability but high-consequence attacks? Right now the use of DNSSEC by websites seems so rare as to be irrelevent, but if ".bank" ever catches on as an alternative to ".com" for bank websites, its spec requires the use of DNSSEC.

What am I missing? Is DNSSEC a pointless placebo? Or only there to catch low-energy spoofing attacks that only attack the last mile of the DNS resolution process? The last mile is covered by dnscrypt, so what then would be the point of DNSSEC?