[Dnsmasq-discuss] Regression/Feature Request for 2.92

rodolfosilva2 at tutanota.com rodolfosilva2 at tutanota.com
Tue Mar 31 09:50:29 UTC 2026 

I just checked with new version and now works all perfect as before.

Many thanks for the fast fix!
Waiting now for next release.
-- 
 Secured with Tuta Mail: 
 https://tuta.com/free-email


Mar 26, 2026, 14:55 by simon at thekelleys.org.uk:

> A classic bug caused by the user (you) doing something the coder (me) didn't expect :)
>
> I just pushed 2.93test8 to git and the test-releases directory on thekelleys.org.uk The relevant commit is
>
> https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=5be5dc1f16143222f104f3d33cedb6a77e9f182d
>
> Now if there's no configured upstream server for the parent domain of a domain-specific server (ie in this case for the root) then dnsmasq will treat that as a reason to assume that the domain-specific server's domain (ie internal) is not signed.
>
> After removing 8.8.8.8 as you suggest, it now Works For Me.
>
> Cheers,
>
> Simon.
>
> On 19.03.2026 02:00, rodolfosilva2 at tutanota.com wrote:
>
>> In my case the dnsmasq has no connection to any public DNS Server to perform DS Validation Remove this: dnsmasq: using nameserver 8.8.8.8#53 )  and test again
>>
>> But even with no connection resolving local domains and unqualified domains via the external server should work.--
>>  Secured with Tuta Mail:
>>  https://tuta.com/free-email
>>
>>
>> Mar 17, 2026, 22:05 by simon at thekelleys.org.uk:
>>
>>> The relevant changes and the rationale for making them is at
>>>
>>>
>>> https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=57f0489f384193f7c962fb2a20c9e2e867f86039
>>>
>>>
>>> I just did a simple test that looks analogous to what you're doing, and it all worked as expected.
>>>
>>>
>>> dnsmasq: DNSSEC validation enabled
>>> dnsmasq: configured with trust anchor for <root> keytag 20326
>>> dnsmasq: using nameserver 127.0.0.1#10002 for domain internal
>>> dnsmasq: using nameserver 8.8.8.8#53
>>> dnsmasq: read /etc/hosts - 10 names
>>> dnsmasq: query[A] simon.internal from ::1
>>> dnsmasq: forwarded simon.internal to 127.0.0.1#10002
>>> dnsmasq: dnssec-query[DS] internal to 8.8.8.8
>>> dnsmasq: dnssec-query[DNSKEY] . to 8.8.8.8
>>> dnsmasq: reply . is DNSKEY keytag 21831, algo 8
>>> dnsmasq: reply . is DNSKEY keytag 38696, algo 8
>>> dnsmasq: reply . is DNSKEY keytag 20326, algo 8
>>> dnsmasq: Negative DS reply without NS record received for internal, assuming non-DNSSEC domain-specific server.
>>> dnsmasq: reply internal is no DS
>>> dnsmasq: validation result is INSECURE
>>> dnsmasq: reply simon.internal is 1.2.3.4
>>>
>>> So there's something that's in your setup but not mine that I didn't think of.
>>>
>>> As a start, please could you enable log-queries and run the test again, then post the resulting log.
>>>
>>>
>>> Cheers,
>>>
>>> Simon.
>>>
>>>
>>>
>>> On 11.03.2026 06:19, Rodolfo Silva via Dnsmasq-discuss wrote:
>>>
>>>> Dears,
>>>>
>>>> i use a customs dnsmasq confirguration in which dnsmasq uses my local DNS Server for unqualified hostnames and hostnames with custom domain dw.internal
>>>>
>>>> Configuration looks like this:
>>>>
>>>>
>>>> # Add other name servers here, with domain specs if they are for
>>>> # non-public domains.
>>>> servers-file=/var/run/NetworkManager/local-net-dns-servers.conf
>>>>
>>>>
>>>> /var/run/NetworkManager/local-net-dns-servers.conf
>>>>
>>>> server=/dw.internal/10.24.64.3 at eth0
>>>> server=//10.24.64.3 at eth0
>>>>
>>>> i have DNSSEC Validation enabled, an now when querying a local hostname:
>>>>
>>>> dig router1.dw.internal
>>>>
>>>> dnsmasq tries to validate the response even if this local zone is not signed.validation router1.dw.internal is ABANDONED
>>>>
>>>> i fixed this by including trust-anchor=internal in the global dnsmasq.conf
>>>> But maybe we can AUTOMATICALLY exclude any custom non-public domain from dsnssec validation?
>>>> If not possible , does the logic allow including the trust-anchor statement in the servers-file ?
>>>>
>>>>
>>>> Prior v2.92  Validation for internal domain just went fine
>>>> Expecting any advise--
>>>>  Secured with Tuta Mail:
>>>>  https://tuta.com/free-email
>>>>
>>>> _______________________________________________
>>>> Dnsmasq-discuss mailing list
>>>> Dnsmasq-discuss at lists.thekelleys.org.uk
>>>> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
>>>>

More information about the Dnsmasq-discuss mailing list