[Dnsmasq-discuss] DNSSEC validation fails for wildcard subdomains
Jan Breig
subscriptions at pygos.space
Tue Dec 30 18:44:39 UTC 2025
Hello,
I have set up a wildcard DNS CNAME record `*.b.c.pygos.space`.
When using dnsmasq with DNSSEC validation enabled, a query to this wildcard causes a SERVFAIL.
Queries to explicit subdomains that the wildcard resolves to are successful.
Steps to reproduce:
1. Setup dnsmasq
/etc/dnsmasq.conf
-----------------------------------------------
conf-file=/usr/share/dnsmasq/trust-anchors.conf
dnssec
-----------------------------------------------
2. Start dnsmasq
# dnsmasq -d --dnssec
3. Request an explicit subdomain
# dig a.b.c.pygos.space @127.0.0.1
-> works
4. Request the wildcard subdomain itself
# dig *.b.c.pygos.space @127.0.0.1
-> fails with SERVFAIL (NSEC Missing)
5. Request the wildcard subdomain with another resolver
# dig *.b.c.pygos.space @1.1.1.1
-> works
I experienced this bug when using pihole. Related bug:
https://github.com/pi-hole/FTL/issues/2751
Best regards,
Jan Breig
More information about the Dnsmasq-discuss
mailing list