[Dnsmasq-discuss] querying DS from wrong server
Uwe Kleine-König
uwe+dnsmasq at kleine-koenig.org
Mon Jun 23 20:44:28 UTC 2025
Hello,
back in January I hit a DNSSEC related problem that I reported on that
list, and that resulted in commit
8ce27433f8b2e17c557cb55e4f16941d309deeac.
Now I slightly changed my setup to make it more robust, it works as
follows now:
I have a authoritative DNS server for kleine-koenig.org running on
[::1]:10053 and dnsmasq (running on OpenWrt) configured with
server=/kleine-koenig.org/::1#10053
domain=kk4.kleine-koenig.org
. The problem I have now is that a dnssec verifying resolver querying the
forwarding side of dnsmasq sees:
$ delv www.kleine-koenig.org
;; broken trust chain resolving 'kleine-koenig.org/DNSKEY/IN': ::1#53
;; broken trust chain resolving 'www.kleine-koenig.org/A/IN': 127.0.0.1#53
;; resolution failed: broken trust chain
I think the problem is that the DS query for kleine-koenig.org is also
forwarded to [::1]:10053. Instead it should be forwarded to the same
server that (non-DS) queries for .org are sent to.
So the logic implemented in 8ce27433f8b2e17c557cb55e4f16941d309deeac was
to short-sighted, a DS query should always go to the parent; not only for
the zones that dnsmasq is authoritative for.
(Hmm, the DS query has the RD flag set, does that mean that the server
specified in a --server option has to be a recursor?)
Best regards
Uwe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20250623/2d87fc9b/attachment.sig>
More information about the Dnsmasq-discuss
mailing list