[Dnsmasq-discuss] querying DS from wrong server

Simon Kelley simon at thekelleys.org.uk
Tue Jul 8 15:22:29 UTC 2025 


On 7/8/25 14:29, Uwe Kleine-König wrote:
> Hello Simon,
> 
> [I set the wrong sender address, so my reply was discarded by the list. So I resend, @Simon, please reply to this copy only and sorry for the duplicate in your inbox]
> 
> On 7/8/25 00:52, Simon Kelley wrote:
>> On 7/7/25 22:01, Uwe Kleine-König wrote:
>>> On 7/7/25 19:06, Simon Kelley wrote:
>>> I'm not sure what you mean writing "That's of course wrong.". I'd say
>>> that even without DNSSEC enabled (which is mainly about making dnsmasq a
>>> validating resolver) it should be possible to have a validating client.
>>> Is it that what you mean, too?
>>>
>>
>> Sorry for being unclear. What I meant is that forwarding DS queries to the parent should always be done. It shouldn't  depend on enabling DNSSEC validation.
>>
>> The 2.92test16 release removes the need for validation to be enabled and it passes your test fine with or without validation enabled.
> 
> Ah, I missed that there is a new test tag. Indeed on ..test16 delv is happy (apart from the cookie warnings) even without DNSSEC support compiled in \o/. Thanks.
> 
>> www.debian.org doesn't work because dns4.easydns.info doesn't return any data for www.debian.org. It's an authoritative server for debian.org and www.debian.org is a different domain, so it returns a delegation to the nameservers for www.debian.org
>>
>> Dnsmasq needs recursive servers for its upstream servers and you can't point it at authoritative-only servers and have things work unless they have no delegations to sub-domains.
> 
> This requirement might be worth to mention in the documentation. Something like
> 
> 	The specified server is expected to answer queries directly, no
>          recursion is applied.
> 
> in the paragraphs describing --server.
> 

It's mentioned a couple of times that upstream servers must be 
recursive. There's also a warning logged if a non-recursive server is 
used, or at least there should be. It looks like that has suffered 
bit-rot and I've just fixed it.



Cheers,

Simon.


> Best regards
> Uwe

More information about the Dnsmasq-discuss mailing list