[Dnsmasq-discuss] DNSSEC in dnsmasq's parent zone

Uwe Kleine-König uwe+dnsmasq at kleine-koenig.org
Wed Jan 15 15:02:04 UTC 2025 

Hello,

I own a domain (kleine-koenig.org) and my OpenWrt router ("happy")
(OpenWrt 24.10.0-rc5 with dnsmasq-full 2.90-r3) in my homenet uses
(among others) the following configuration settings:

	domain=kk4.kleine-koenig.org
	local=/kk4.kleine-koenig.org/
	server=/kleine-koenig.org/192.168.128.3
	auth-server=happy.kleine-koenig.org,192.168.128.4
	auth-zone=kk4.kleine-koenig.org

On the nameserver on 192.168.128.3 I have:

	$ dig +short @192.168.128.3 kk4.kleine-koenig.org NS
	happy.kleine-koenig.org.
	$ dig +short @192.168.128.3 happy.kleine-koenig.org
	192.168.128.4

.

So dnsmasq serves a recursor on 192.168.144.1 and the auth on 192.168.128.4.

From a host in the homenet I can resolve happy.kk4.kleine-koenig.org just
fine:

	$ dig +dnssec +short @192.168.144.1 happy.kk4.kleine-koenig.org
	192.168.144.1

but when trying to verify that address using dnssec this fails:

	$ delv @192.168.144.1 happy.kk4.kleine-koenig.org
	;; no valid RRSIG resolving 'kk4.kleine-koenig.org/DS/IN': 192.168.144.1#53
	;; broken trust chain resolving 'happy.kk4.kleine-koenig.org/A/IN': 192.168.144.1#53
	;; resolution failed: broken trust chain

When asking 192.168.128.3 it works fine:

	$ delv @192.168.128.3 happy.kk4.kleine-koenig.org
	; unsigned answer
	happy.kk4.kleine-koenig.org. 417 IN	A	192.168.144.1

as does it when asking for an unrelated dnssec'd name:

	$ delv @192.168.144.1 www.powerdns.org
	; fully validated
	www.powerdns.org.	3276	IN	CNAME	powerdns.org.
	www.powerdns.org.	3276	IN	RRSIG	CNAME 13 3 3600 20250123000000 20250102000000 13432 powerdns.org. eVhqAkmhMBgvFYcR+g3kRU2ERtYcJBJghurQsNS4Uz7tyttghf5AU7PX iG4HrsAjwNoyzzOycfxzYrD9r8cHIw==
	powerdns.org.		3276	IN	A	149.210.160.248
	powerdns.org.		3276	IN	RRSIG	A 13 2 3600 20250123000000 20250102000000 13432 powerdns.org. L9J8qokzJSgO1lHeHRY+lZnHNbJL4mxaHCmpSrIHrZB0rhgrC5//Wi6Z w9e08oMHP+lDWA+NfpZgUBh5l94gmw==

The problem (I think) is that dnsmasq doesn't answer the query for a NS
on the recursive side of dnsmasq:

	$ nslookup -type=ns kk4.kleine-koenig.org 192.168.144.1
	Server:		192.168.144.1
	Address:	192.168.144.1#53

	Non-authoritative answer:
	*** Can't find kk4.kleine-koenig.org: No answer

	Authoritative answers can be found from:

(but it does on the auth side:

	$ nslookup -type=ns kk4.kleine-koenig.org 192.168.128.4
	Server:		192.168.128.4
	Address:	192.168.128.4#53

	kk4.kleine-koenig.org	nameserver = happy.kleine-koenig.org.

).

I would have expected that the NS query on the recursive side to also
yield happy.kleine-koenig.org?! Am I missing something, or is this a bug?

Best regards
Uwe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20250115/79f7ef15/attachment.sig>

More information about the Dnsmasq-discuss mailing list