[Dnsmasq-discuss] possible minor bug: Caching the results of queries with +cd set...

[Nicholas Weaver]

(Note: I don't have the version # with me right now, as the NAT in
question is at home, I can send taht tonight)...


Experimenting with DNSSEC (the Comcast no-wildcarding servers are now
full DNSSEC), I observed the following:

www.dnssec-failed.org is a (comcast owned) domain with deliberately
broken DNSSEC information.  The NAT I'm using uses dnsmasq and gives
the NAT's IP for the resolver address (always)



dig www.dnssec-failed.org
  properly fails

dig +cd www.dnssec-failed.org
  properly succeeds, showing that +cd (Checking disabled) is properly
forwarded to the resolver.

But then, a normal
dig www.dnssec-failed.org
  will succeed, as dnsmasq cached the result of the +cd query.


Basically, queries with +cd set should bypass the cache always: they
should both go out onto the wire with +cd set AND the result should
not be placed in the cache.