[Dnsmasq-discuss] Warning: Negative DS reply without NS record received

Simon Kelley simon at thekelleys.org.uk
Thu Aug 28 16:27:35 UTC 2025 

The messages are new in the latest code, it's quite possible that 
nothing has actually changed in terms of behaviour.

What's probably happening is that your dnsmasq config is redirecting 
those domains away to either local data or a domain-specific DNS server 
which doesn't do DNSSEC. In that case, there's no proof in the 
chain-of-trust from the DNS root that that domain is allowed to have 
unsigned data, since the global DNS doesn't know that it exists: the 
chain-of-trust from ip6.arpa says that subdomains of ip6.arpa should be 
signed. In most circumstances dnsmasq will therefore flag unsigned data 
in 2.ip.arpa as  bogus, but in this case because it knows that your 
configuration is slapping local unsigned data over the top of that 
domain, it allows it, but warns you.

Without this, doing ad-blocking by returning, effectively, lies about 
the DNS records in ad-broker domains would be impossible to combine with 
DNSSEC.

"Negative DS reply without NS record received for [internal LAN domain],
  assuming non-DNSSEC domain-specific server."

Is the easiest example to understand here: dnsmasq is returning records 
for your internal lan domain that aren't signed, and which the global 
chain-of-trust doesn't know about so can't attest that it isn't signed. 
Dnsmasq is giving it a pass, because you configured it, but warning you 
just in case.

The .arpa ones are probably from rev-server configs that override chunks 
of the IP address space for reverse queries and turn into PTR queries in 
in-addr.arpa or ip6.arpa

A dump of the complete dnsmasq config (sent to me rather than the list, 
if you prefer) would be interesting.

Cheers,

Simon.

PS. I checked, looking up stuff in 2.ip6.arpa through dnsmasq with 
DNSSEC on and using google.dns as upstream, but no local override of 
that domain behaves as expected with no warnings.






On 8/28/25 06:51, Iain Hart wrote:
> Hello,
> 
> I use Pi-hole with Unbound and with DNSSEC enabled, and Pihole has been 
> giving me these dnsmasq warnings:
> "Negative DS reply without NS record received for 2.ip6.arpa, assuming 
> non-DNSSEC domain-specific server."
> "Negative DS reply without NS record received for f.ip6.arpa, assuming 
> non-DNSSEC domain-specific server."
> "Negative DS reply without NS record received for [internal LAN domain], 
> assuming non-DNSSEC domain-specific server."
> "Negative DS reply without NS record received for 9.9.in-addr.arpa, 
> assuming non-DNSSEC domain-specific server."
> 
> I can’t seem to find any documentation specific to that error message, 
> and a query on the Pi-hole discourse site got no responses.
> 
> I have confirmed using dig and a public DNS server (8.8.8.8) that e.g. a 
> DS query for 2.ip6.arpa returns no data, and similarly an NS query for 
> 2.ip6.arpa returns no data, so I don’t think it’s my configuration. But 
> I’m also not sure if this is actually a problem that needs a warning for 
> these addresses? Seems like it’s pretty core internet infrastructure and 
> I’d expect if it was a problem it would have been dealt with before now.
> 
> Many thanks
> 
> 
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss

More information about the Dnsmasq-discuss mailing list