[Dnsmasq-discuss] querying DS from wrong server

Simon Kelley simon at thekelleys.org.uk
Sun Jul 6 22:37:39 UTC 2025



On 6/23/25 21:44, Uwe Kleine-König wrote:
> Hello,
> 
> back in January I hit a DNSSEC related problem that I reported on that
> list, and that resulted in commit
> 8ce27433f8b2e17c557cb55e4f16941d309deeac.
> 
> Now I slightly changed my setup to make it more robust, it works as
> follows now:
> 
> I have a authoritative DNS server for kleine-koenig.org running on
> [::1]:10053 and dnsmasq (running on OpenWrt) configured with
> 
> 	server=/kleine-koenig.org/::1#10053
> 	domain=kk4.kleine-koenig.org
> 
> . The problem I have now is that a dnssec verifying resolver querying the
> forwarding side of dnsmasq sees:
> 
> 	$ delv www.kleine-koenig.org
> 	;; broken trust chain resolving 'kleine-koenig.org/DNSKEY/IN': ::1#53
> 	;; broken trust chain resolving 'www.kleine-koenig.org/A/IN': 127.0.0.1#53
> 	;; resolution failed: broken trust chain
> 
> I think the problem is that the DS query for kleine-koenig.org is also
> forwarded to [::1]:10053. Instead it should be forwarded to the same
> server that (non-DS) queries for .org are sent to.
> 
> So the logic implemented in 8ce27433f8b2e17c557cb55e4f16941d309deeac was
> to short-sighted, a DS query should always go to the parent; not only for
> the zones that dnsmasq is authoritative for.

Agreed, I just pushed 2.92test15 which implements this.

I did a load of testing, and I think every situation works now.

Domain specific server, no DNSSEC records, for a domain which is 
provably not signed higher up the hierarchy.

Domain specific server, no DNSSEC records, for a domain which should be 
signed. (Dnsmasq gives this the benefit of the doubt, but logs a warning.)

Domain specific server with DNSSEC records, that the higher domains 
don't have  DS record for, but there is trust anchor in dnsmasq config.

Domain specific server with DNSSEC records, that the higher domains do 
have  DS record for.

For those last two, DS queries work the same way, returning either the 
local trust anchor, or the DS from the parent.



Cheers,

Simon.


> 
> (Hmm, the DS query has the RD flag set, does that mean that the server
> specified in a --server option has to be a recursor?)
> 
> Best regards
> Uwe
> 
> 
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss




More information about the Dnsmasq-discuss mailing list