[Dnsmasq-discuss] querying DS from wrong server

Simon Kelley simon at thekelleys.org.uk
Mon Jul 7 22:52:13 UTC 2025 


On 7/7/25 22:01, Uwe Kleine-König wrote:
> Hello Simon,
> 
> On 7/7/25 19:06, Simon Kelley wrote:
>> On 7/7/25 08:40, Uwe Kleine-König wrote:
>>>
>>> I think that's still broken. To use a testcase that we both can use, I did the following:
>>>
>>>      dnsmasq -p 10053 -d -q --server=/debian.org/dns4.easydns.info
>>>
>>> and then query using:
>>>
>>>      $ delv @::1 -p 10053 debian.org A
>>>      ;; chase DS servers resolving 'debian.org/DS/IN': ::1#10053
>>>      ;; missing expected cookie from ::1#10053
>>>      ;; missing expected cookie from ::1#10053
>>>      ;; missing expected cookie from ::1#10053
>>>      ;; missing expected cookie from ::1#10053
>>>      ;; broken trust chain resolving 'debian.org/DNSKEY/IN': ::1#10053
>>>      ;; broken trust chain resolving 'debian.org/A/IN': ::1#10053
>>>      ;; resolution failed: broken trust chain
>>>
>>> . This request makes dnsmasq log:
>>>
>>>      dnsmasq: query[A] debian.org from ::1
>>>      dnsmasq: forwarded debian.org to 2620:49:4::10
>>>      dnsmasq: reply debian.org is 151.101.194.132
>>>      dnsmasq: reply debian.org is 151.101.66.132
>>>      dnsmasq: reply debian.org is 151.101.2.132
>>>      dnsmasq: reply debian.org is 151.101.130.132
>>>      dnsmasq: reply debian.org is <RRSIG>
>>>      dnsmasq: query[DNSKEY] debian.org from ::1
>>>      dnsmasq: forwarded debian.org to 2620:49:4::10
>>>      dnsmasq: reply is truncated
>>>      dnsmasq: query[DNSKEY] debian.org from ::1
>>>      dnsmasq: forwarded debian.org to 2620:49:4::10
>>>      dnsmasq: reply debian.org is <DNSKEY>
>>>      dnsmasq: reply debian.org is <DNSKEY>
>>>      dnsmasq: reply debian.org is <DNSKEY>
>>>      dnsmasq: reply debian.org is <RRSIG>
>>>      dnsmasq: reply debian.org is <RRSIG>
>>>      dnsmasq: query[DS] debian.org from ::1
>>>      dnsmasq: forwarded debian.org to 2620:49:4::10
>>>      dnsmasq: reply debian.org is NODATA
>>>      ...
>>>
>>> In my understanding the DS query must not go to 2620:49:4::10.
>>
>> and it does, if you compile dnsmasq with DNSSEC validation, and enable it :) That's of course wrong, blame force of habit.
>>
>> 2.92test16 should fix this. It certainly works for me in your excellent test case.
> 
> I compiled dnsmasq with DNSSEC support (using `make COPTS=-DHAVE_DNSSEC`) and indeed if I use
> 
> 	./src/dnsmasq --dnssec --trust-anchor=.,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D -p 10053 -d -q --server=/debian.org/dns4.easydns.info
> 
> I get
> 
> 	$ delv @::1 -p 10053 debian.org
> 	;; missing expected cookie from ::1#10053
> 	;; missing expected cookie from ::1#10053
> 	;; missing expected cookie from ::1#10053
> 	;; missing expected cookie from ::1#10053
> 	; fully validated
> 	debian.org.		300	IN	A	151.101.2.132
> 	debian.org.		300	IN	A	151.101.66.132
> 	debian.org.		300	IN	A	151.101.130.132
> 	debian.org.		300	IN	A	151.101.194.132
> 	debian.org.		300	IN	RRSIG	A 8 2 300 20250812095101 20250703090442 21715 debian.org. BoFG3VJoDcjug+4Xz6YAYVOwBvKGDlul7WxTkG2EJQm6SOPTec1UCndQ LsKkAAG0PcP9JYwE1AsaJmjsw0jlHSjORjHXb7vodhnbAE6YCWzOw3JX o4mceWXnC1hQCz3/mevuCgzPtaXloWPLf5W+O/lOZkfEr8cdMuFhRAIb 7FFNh4upw9JlTNQbTvG5J/P0lu/OzLeBwkzoxIQN+vjDCa2ATsVGmQy8 J711Bch0f8903xyynXxG27o1xyuNkzYB
> 
> I didn't understand what the cookie issue is. And even with this full
> setting resolving www.debian.org doesn't work.
> 
> I'm not sure what you mean writing "That's of course wrong.". I'd say
> that even without DNSSEC enabled (which is mainly about making dnsmasq a
> validating resolver) it should be possible to have a validating client.
> Is it that what you mean, too?
> 

Sorry for being unclear. What I meant is that forwarding DS queries to 
the parent should always be done. It shouldn't  depend on enabling 
DNSSEC validation.

The 2.92test16 release removes the need for validation to be enabled and 
it passes your test fine with or without validation enabled.

www.debian.org doesn't work because dns4.easydns.info doesn't return any 
data for www.debian.org. It's an authoritative server for debian.org and 
www.debian.org is a different domain, so it returns a delegation to the 
nameservers for www.debian.org

Dnsmasq needs recursive servers for its upstream servers and you can't 
point it at authoritative-only servers and have things work unless they 
have no delegations to sub-domains.

You get the same error if you point delv directly at dns4.easydns.info 
since delv also doesn't recurse and needs to talk to a recursive server.


Cheers,

Simon.


> Best regards
> Uwe
>

More information about the Dnsmasq-discuss mailing list