[Dnsmasq-discuss] DNSSEC query sent upstream despite local domain
Dominik Derigs
dl6er at dl6er.de
Sun May 4 17:29:14 UTC 2025
Hey Simon and list readers,
we are seeing an interesting report, first the log file:
Apr 21 19:00:01 dnsmasq[310194]: query[PTR] 1.1.0.10.in-addr.arpa from
127.0.0.1
Apr 21 19:00:01 dnsmasq[310194]: forwarded 1.1.0.10.in-addr.arpa to 10.0.1.1
Apr 21 19:00:01 dnsmasq[310194]: dnssec-query[DS] 10.in-addr.arpa to 8.8.4.4
Apr 21 19:00:01 dnsmasq[310194]: Insecure DS reply received for
10.in-addr.arpa, check domain configuration and upstream DNS server
DNSSEC support
Apr 21 19:00:01 dnsmasq[310194]: reply 10.in-addr.arpa is BOGUS DS - not
secure
Apr 21 19:00:01 dnsmasq[310194]: validation 1.1.0.10.in-addr.arpa is BOGUS
Relevant config lines are:
no-resolv
bogus-priv
server=8.8.8.8
server=8.8.4.4
rev-server=10.0.1.0/24,10.0.1.1
server=/fritz.box/10.0.1.1
dnssec
trust-anchor=.,<the default value)
In the context of bogus-priv - is it actually expected that
DNSSEC-related queries are sent to non-local servers? My interpretation
is that they shouldn't be sent upstream here...
Best,
Dominik
More information about the Dnsmasq-discuss
mailing list