[Dnsmasq-discuss] querying DS from wrong server
Simon Kelley
simon at thekelleys.org.uk
Tue Jul 8 15:22:29 UTC 2025
On 7/8/25 14:29, Uwe Kleine-König wrote:
> Hello Simon,
>
> [I set the wrong sender address, so my reply was discarded by the list. So I resend, @Simon, please reply to this copy only and sorry for the duplicate in your inbox]
>
> On 7/8/25 00:52, Simon Kelley wrote:
>> On 7/7/25 22:01, Uwe Kleine-König wrote:
>>> On 7/7/25 19:06, Simon Kelley wrote:
>>> I'm not sure what you mean writing "That's of course wrong.". I'd say
>>> that even without DNSSEC enabled (which is mainly about making dnsmasq a
>>> validating resolver) it should be possible to have a validating client.
>>> Is it that what you mean, too?
>>>
>>
>> Sorry for being unclear. What I meant is that forwarding DS queries to the parent should always be done. It shouldn't depend on enabling DNSSEC validation.
>>
>> The 2.92test16 release removes the need for validation to be enabled and it passes your test fine with or without validation enabled.
>
> Ah, I missed that there is a new test tag. Indeed on ..test16 delv is happy (apart from the cookie warnings) even without DNSSEC support compiled in \o/. Thanks.
>
>> www.debian.org doesn't work because dns4.easydns.info doesn't return any data for www.debian.org. It's an authoritative server for debian.org and www.debian.org is a different domain, so it returns a delegation to the nameservers for www.debian.org
>>
>> Dnsmasq needs recursive servers for its upstream servers and you can't point it at authoritative-only servers and have things work unless they have no delegations to sub-domains.
>
> This requirement might be worth to mention in the documentation. Something like
>
> The specified server is expected to answer queries directly, no
> recursion is applied.
>
> in the paragraphs describing --server.
>
It's mentioned a couple of times that upstream servers must be
recursive. There's also a warning logged if a non-recursive server is
used, or at least there should be. It looks like that has suffered
bit-rot and I've just fixed it.
Cheers,
Simon.
> Best regards
> Uwe
More information about the Dnsmasq-discuss
mailing list