[Dnsmasq-discuss] Regression/Feature Request for 2.92

Simon Kelley simon at thekelleys.org.uk
Tue Mar 17 22:05:56 UTC 2026 

The relevant changes and the rationale for making them is at


https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=57f0489f384193f7c962fb2a20c9e2e867f86039


I just did a simple test that looks analogous to what you're doing, and 
it all worked as expected.


dnsmasq: DNSSEC validation enabled
dnsmasq: configured with trust anchor for <root> keytag 20326
dnsmasq: using nameserver 127.0.0.1#10002 for domain internal
dnsmasq: using nameserver 8.8.8.8#53
dnsmasq: read /etc/hosts - 10 names
dnsmasq: query[A] simon.internal from ::1
dnsmasq: forwarded simon.internal to 127.0.0.1#10002
dnsmasq: dnssec-query[DS] internal to 8.8.8.8
dnsmasq: dnssec-query[DNSKEY] . to 8.8.8.8
dnsmasq: reply . is DNSKEY keytag 21831, algo 8
dnsmasq: reply . is DNSKEY keytag 38696, algo 8
dnsmasq: reply . is DNSKEY keytag 20326, algo 8
dnsmasq: Negative DS reply without NS record received for internal, 
assuming non-DNSSEC domain-specific server.
dnsmasq: reply internal is no DS
dnsmasq: validation result is INSECURE
dnsmasq: reply simon.internal is 1.2.3.4

So there's something that's in your setup but not mine that I didn't 
think of.

As a start, please could you enable log-queries and run the test again, 
then post the resulting log.


Cheers,

Simon.



On 11.03.2026 06:19, Rodolfo Silva via Dnsmasq-discuss wrote:
> Dears,
> 
> i use a customs dnsmasq confirguration in which dnsmasq uses my local DNS Server for unqualified hostnames and hostnames with custom domain dw.internal
> 
> Configuration looks like this:
> 
> 
> # Add other name servers here, with domain specs if they are for
> # non-public domains.
> servers-file=/var/run/NetworkManager/local-net-dns-servers.conf
> 
> 
> /var/run/NetworkManager/local-net-dns-servers.conf
> 
> server=/dw.internal/10.24.64.3 at eth0
> server=//10.24.64.3 at eth0
> 
> i have DNSSEC Validation enabled, an now when querying a local hostname:
> 
> dig router1.dw.internal
> 
> dnsmasq tries to validate the response even if this local zone is not signed.validation router1.dw.internal is ABANDONED
> 
> i fixed this by including trust-anchor=internal in the global dnsmasq.conf
> But maybe we can AUTOMATICALLY exclude any custom non-public domain from dsnssec validation?
> If not possible , does the logic allow including the trust-anchor statement in the servers-file ?
> 
> 
> Prior v2.92  Validation for internal domain just went fine
> Expecting any advise--
>   Secured with Tuta Mail:
>   https://tuta.com/free-email
> 
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss

More information about the Dnsmasq-discuss mailing list