[Dnsmasq-discuss] DNSSEC validation fails for wildcard subdomains
Jan Breig
subscriptions at pygos.space
Thu Jan 1 13:04:57 UTC 2026
Hello,
sure.
Am 31.12.25 um 11:04 schrieb Geert Stappers:
>
>> Steps to reproduce:
>>
>> 1. Setup dnsmasq
>> /etc/dnsmasq.conf
>> -----------------------------------------------
>> conf-file=/usr/share/dnsmasq/trust-anchors.conf
>> dnssec
>> -----------------------------------------------
>>
>> 2. Start dnsmasq
>> # dnsmasq -d --dnssec
>>
>> 3. Request an explicit subdomain
>> # dig a.b.c.pygos.space @127.0.0.1
>> -> works
; <<>> DiG 9.18.42 <<>> a.b.c.pygos.space @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8076
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;a.b.c.pygos.space. IN A
;; ANSWER SECTION:
a.b.c.pygos.space. 191 IN CNAME pygos.space.
pygos.space. 29 IN A 217.147.48.9
;; Query time: 236 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Thu Jan 01 13:48:44 CET 2026
;; MSG SIZE rcvd: 76
>>
>> 4. Request the wildcard subdomain itself
>> # dig *.b.c.pygos.space @127.0.0.1
>> -> fails with SERVFAIL (NSEC Missing)
; <<>> DiG 9.18.42 <<>> *.b.c.pygos.space @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 48479
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; EDE: 12 (NSEC Missing)
;; QUESTION SECTION:
;*.b.c.pygos.space. IN A
;; Query time: 76 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Thu Jan 01 13:48:14 CET 2026
;; MSG SIZE rcvd: 52
>>
>> 5. Request the wildcard subdomain with another resolver
>> # dig *.b.c.pygos.space @1.1.1.1
>> -> works
; <<>> DiG 9.18.42 <<>> *.b.c.pygos.space @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6838
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;*.b.c.pygos.space. IN A
;; ANSWER SECTION:
*.b.c.pygos.space. 300 IN CNAME pygos.space.
pygos.space. 60 IN A 217.147.48.9
;; Query time: 51 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Thu Jan 01 13:48:30 CET 2026
;; MSG SIZE rcvd: 76
>
>> I experienced this bug when using pihole. Related bug:
>> https://github.com/pi-hole/FTL/issues/2751
>
> Which has recent update that nicely asks
>
> What is being expected?
>
Dnsmasq should not fail with SERVFAIL in step 4 but return the result like other resolvers do.
The CNAME record is just for testing purposes. I created it to reproduce the SERVFAIL.
Best regards,
Jan Breig
More information about the Dnsmasq-discuss
mailing list