[Dnsmasq-discuss] Incorrect SERVFAIL on dnssec and rivcoed.org. domain
Simon Kelley
simon at thekelleys.org.uk
Sun Jan 18 21:17:09 UTC 2026
On 12.12.2025 19:29, Petr Menšík via Dnsmasq-discuss wrote:
> There is created pihole issue for in fact dnsmasq problem:
>
> https://github.com/pi-hole/FTL/issues/2737
>
> dnsmasq fails where both unbound and bind9 pass the verification as
> insecure. The problem is that domain has incorrect owner name in RRSIG:
> cloudflare.net.
>
> I will try to create patch sometime around christmas, but just wanted to
> make it known. Somebody might be faster. Verified it happens on last
> released dnsmasq. Have not tried last git, but expect that is affected
> as well.
>
> it is okay by other implementations:
>
> delv rivcoed.org.
>
> unbound-host -rvDt A rivcoed.org.
>
> I think because rivcoed.org. DS record is not present anyway, signature
> does not need to be checked in this case. dnsmasq fails too early.
I agree, Another of those cases where making the code work made it
simpler and cleaner too.
https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=1269f074f86bb959863012063060a3a082d37dc4
Cheers,
Simon.
>
> Cheers,
> Petr
>
More information about the Dnsmasq-discuss
mailing list