[Dnsmasq-discuss] DNSSEC validation fails for wildcard subdomains
Simon Kelley
simon at thekelleys.org.uk
Wed Jan 14 13:57:04 UTC 2026
On 30.12.2025 18:44, Jan Breig via Dnsmasq-discuss wrote:
> Hello,
>
> I have set up a wildcard DNS CNAME record `*.b.c.pygos.space`.
> When using dnsmasq with DNSSEC validation enabled, a query to this wildcard causes a SERVFAIL.
> Queries to explicit subdomains that the wildcard resolves to are successful.
>
> Steps to reproduce:
>
> 1. Setup dnsmasq
> /etc/dnsmasq.conf
> -----------------------------------------------
> conf-file=/usr/share/dnsmasq/trust-anchors.conf
> dnssec
> -----------------------------------------------
>
> 2. Start dnsmasq
> # dnsmasq -d --dnssec
>
> 3. Request an explicit subdomain
> # dig a.b.c.pygos.space @127.0.0.1
> -> works
>
> 4. Request the wildcard subdomain itself
> # dig *.b.c.pygos.space @127.0.0.1
> -> fails with SERVFAIL (NSEC Missing)
>
> 5. Request the wildcard subdomain with another resolver
> # dig *.b.c.pygos.space @1.1.1.1
> -> works
>
> I experienced this bug when using pihole. Related bug:
> https://github.com/pi-hole/FTL/issues/2751
>
> Best regards,
> Jan Breig
>
I think I got this.
When validating a query answered using a wildcard, the validation has to
check that actual query doesn't exist.
If a.b.c.pygos.space (in your example) really existed and had a value
different to *.b.c.pygos.space then an attacker could craft a reply
giving it the same value as *.b.c.pygos.space just by using the
*.b.c.pygos.space signature. The problem here is that dnsmasq was doing
that check when the query is *.b.c.pygos.space which is just wrong,
since the check will fail (*.b.c.pygos.space does exist) and it not
necessary.
https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=f603a4f920e6953b11667d424956fd47373870e9
Fixes this for me.
Cheers,
Simon.
https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=f603a4f920e6953b11667d424956fd47373870e9
More information about the Dnsmasq-discuss
mailing list