[Dnsmasq-discuss] querying DS from wrong server

Uwe Kleine-König uwe+dnsmasq at kleine-koenig.org
Tue Jul 8 13:29:07 UTC 2025


Hello Simon,

[I set the wrong sender address, so my reply was discarded by the list. So I resend, @Simon, please reply to this copy only and sorry for the duplicate in your inbox]

On 7/8/25 00:52, Simon Kelley wrote:
> On 7/7/25 22:01, Uwe Kleine-König wrote:
>> On 7/7/25 19:06, Simon Kelley wrote:
>> I'm not sure what you mean writing "That's of course wrong.". I'd say
>> that even without DNSSEC enabled (which is mainly about making dnsmasq a
>> validating resolver) it should be possible to have a validating client.
>> Is it that what you mean, too?
>>
> 
> Sorry for being unclear. What I meant is that forwarding DS queries to the parent should always be done. It shouldn't  depend on enabling DNSSEC validation.
> 
> The 2.92test16 release removes the need for validation to be enabled and it passes your test fine with or without validation enabled.

Ah, I missed that there is a new test tag. Indeed on ..test16 delv is happy (apart from the cookie warnings) even without DNSSEC support compiled in \o/. Thanks.

> www.debian.org doesn't work because dns4.easydns.info doesn't return any data for www.debian.org. It's an authoritative server for debian.org and www.debian.org is a different domain, so it returns a delegation to the nameservers for www.debian.org
> 
> Dnsmasq needs recursive servers for its upstream servers and you can't point it at authoritative-only servers and have things work unless they have no delegations to sub-domains.

This requirement might be worth to mention in the documentation. Something like

	The specified server is expected to answer queries directly, no
        recursion is applied.

in the paragraphs describing --server.

Best regards
Uwe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20250708/1f4c9ccd/attachment.sig>


More information about the Dnsmasq-discuss mailing list