[Dnsmasq-discuss] DNSSEC and all-servers

Simon Kelley simon at thekelleys.org.uk
Thu Oct 7 21:01:15 UTC 2021

On 07/10/2021 10:59, Tobias via Dnsmasq-discuss wrote:
> Hi,
> when "dnssec" and "all-servers" are set, according to the log it seems
> queries are usually forwarded to all upstream servers as expected, but
> the internal "dnssec-query"s are not, they are only sent to one, which
> is unexpected with "all-servers". (They are also not balanced but more
> like 16:1 sent to the first upstream server, which is usually the faster
> one, I assume that's why?)>
> Another issue, probably not related to "all-servers", and maybe not even
> DNSSEC: When there's an A query followed by an AAAA query, the log shows
> two identical consecutive internal DS/DNSKEY queries (to the same
> upstream, verified via upstream log), isn't that unnecessary/excessive?

What version are you running? Your second point was addressed in release
2.86, so I guess something earlier.

The code for determining which server to use for DNSSEC queries was also
touched in 2.86, but the principle remains the same. The code tries hard
to use the same server as provided the answer being validated.  This may
not be possible in some circumstances, and if that server doesn't
respond, the strategy for picking another server changed in 2.86, but in
general it's true.

That explains your observation. The original query gets sent to all the
servers and whichever answers first has its answer used, and gets the
subsidiary queries for DNSSEC. A single server may often be the fastest,
or it might just be that the query is always sent to the servers in the
same order, so the first one to receive it normally wins.


More information about the Dnsmasq-discuss mailing list