[Dnsmasq-discuss] Incorrect SERVFAIL on dnssec and rivcoed.org. domain
Petr Menšík
pemensik at redhat.com
Fri Dec 12 19:29:12 UTC 2025
There is created pihole issue for in fact dnsmasq problem:
https://github.com/pi-hole/FTL/issues/2737
dnsmasq fails where both unbound and bind9 pass the verification as
insecure. The problem is that domain has incorrect owner name in RRSIG:
cloudflare.net.
I will try to create patch sometime around christmas, but just wanted to
make it known. Somebody might be faster. Verified it happens on last
released dnsmasq. Have not tried last git, but expect that is affected
as well.
it is okay by other implementations:
delv rivcoed.org.
unbound-host -rvDt A rivcoed.org.
I think because rivcoed.org. DS record is not present anyway, signature
does not need to be checked in this case. dnsmasq fails too early.
Cheers,
Petr
--
Petr Menšík
Senior Software Engineer, RHEL
Red Hat, https://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
More information about the Dnsmasq-discuss
mailing list