[Dnsmasq-discuss] DNSSEC validation fails for wildcard subdomains

Wed Dec 31 10:04:24 UTC 2025

On Tue, Dec 30, 2025 at 07:44:39PM +0100, Jan Breig via Dnsmasq-discuss wrote:
> Hello,
> 
> I have set up a wildcard DNS CNAME record `*.b.c.pygos.space`.

Ack

> When using dnsmasq with DNSSEC validation enabled, a query to this wildcard causes a SERVFAIL.
> Queries to explicit subdomains that the wildcard resolves to are successful.

Acknowledge on that observation.

> Steps to reproduce:
> 
> 1. Setup dnsmasq
> /etc/dnsmasq.conf
> -----------------------------------------------
> conf-file=/usr/share/dnsmasq/trust-anchors.conf
> dnssec
> -----------------------------------------------
> 
> 2. Start dnsmasq
> # dnsmasq -d --dnssec
> 
> 3. Request an explicit subdomain
> # dig a.b.c.pygos.space @127.0.0.1
> -> works
> 
> 4. Request the wildcard subdomain itself
> # dig *.b.c.pygos.space @127.0.0.1
> -> fails with SERVFAIL (NSEC Missing)
> 
> 5. Request the wildcard subdomain with another resolver
> # dig *.b.c.pygos.space @1.1.1.1
> -> works

Please elaborate the  "-> works".
For better discussion, this is what is seen by me:

|$ dig *.b.c.pygos.space @1.1.1.1
|
|; <<>> DiG 9.20.1-1-Debian <<>> *.b.c.pygos.space @1.1.1.1
|;; global options: +cmd
|;; Got answer:
|;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39580
|;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
|
|;; OPT PSEUDOSECTION:
|; EDNS: version: 0, flags:; udp: 1232
|;; QUESTION SECTION:
|;*.b.c.pygos.space.		IN	A
|
|;; ANSWER SECTION:
|*.b.c.pygos.space.	300	IN	CNAME	pygos.space.
|pygos.space.		60	IN	A	46.167.27.232
|
|;; Query time: 40 msec
|;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
|;; WHEN: Wed Dec 31 09:43:09 CET 2025
|;; MSG SIZE  rcvd: 76
|
|$

> I experienced this bug when using pihole. Related bug:
> https://github.com/pi-hole/FTL/issues/2751

Which has recent update that nicely asks

    What is being expected?

> Best regards,
> Jan Breig

Groeten
Geert Stappers
-- 
Silence is hard to parse