[Dnsmasq-discuss] dnssec problem here and now

Steffen Nurpmeso steffen at sdaoden.eu
Tue May 5 21:52:25 UTC 2026 

Hello.

I wanted to report that i just now had a dnssec problem with
dnsmasq, i had to turn it off because "more and more" (it seemed
so) DNS queries returned failure.

My setup is dnsmasq on any box, connects via VPN to a dnsmasq on
the server, and that does it for real.

I realized it first when i could not send to postfix list

  $ dig postfix.org MX
->
  postfix.org.            3276    IN      MX      10 list.sys4.de.

But then

  $ dig list.sys4.de

  ; <<>> DiG 9.20.22 <<>> list.sys4.de
  ;; global options: +cmd
  ;; Got answer:
  ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 22620
  ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

  ;; OPT PSEUDOSECTION:
  ; EDNS: version: 0, flags:; udp: 1232
  ; EDE: 6 (DNSSEC Bogus)
  ;; QUESTION SECTION:
  ;list.sys4.de.                  IN      A

  ;; Query time: 356 msec
  ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
  ;; WHEN: Tue May 05 22:37:00 CEST 2026
  ;; MSG SIZE  rcvd: 47

  $ dig sys4.de @8.8.8.8

  ; <<>> DiG 9.20.22 <<>> sys4.de @8.8.8.8
  ;; global options: +cmd
  ;; Got answer:
  ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48428
  ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

  ;; OPT PSEUDOSECTION:
  ; EDNS: version: 0, flags:; udp: 512
  ;; QUESTION SECTION:
  ;sys4.de.                       IN      A

  ;; ANSWER SECTION:
  sys4.de.                3600    IN      A       194.126.158.152

  ;; Query time: 239 msec
  ;; SERVER: 8.8.8.8#53(8.8.8.8) (UDP)
  ;; WHEN: Tue May 05 22:37:37 CEST 2026
  ;; MSG SIZE  rcvd: 52

  $ dig sys4.de @8.8.8.8 MX

  ; <<>> DiG 9.20.22 <<>> sys4.de @8.8.8.8 MX
  ;; global options: +cmd
  ;; Got answer:
  ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 15147
  ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

  ;; OPT PSEUDOSECTION:
  ; EDNS: version: 0, flags:; udp: 512
  ; EDE: 6 (DNSSEC Bogus): (RRSIG with malformed signature found for sys4.de/ds (keytag=33834))
  ;; QUESTION SECTION:
  ;sys4.de.                       IN      MX

  ;; Query time: 279 msec
  ;; SERVER: 8.8.8.8#53(8.8.8.8) (UDP)
  ;; WHEN: Tue May 05 22:37:57 CEST 2026
  ;; MSG SIZE  rcvd: 108

Now *if* i configure the dnsmasq on the server to only connect to
the DNS server of my provider, ie, "no man in the middle possible
*i would think*", i still get the same stuff:

  ; EDE: 10 (RRSIGs Missing)
or
  ; EDE: 9 (DNSKEY Missing)
or
  ; EDE: 6 (DNSSEC Bogus): (RRSIG with malformed signature found for a0d5d1p51kijsevll74k523htmq406bk.de/nsec3 (keytag=33834))

Or in long

  May  5 23:37:31 dnsmasq[7934]: 1 192.0.2.2/48096 forwarded zeit.de to 188.246.0.34
  May  5 23:37:31 dnsmasq[7934]: 2 dnssec-query[DS] de to 188.246.0.34
  May  5 23:37:31 dnsmasq[7934]: 3 dnssec-query[DNSKEY] . to 188.246.0.34
  May  5 23:37:31 dnsmasq[7934]: 3 reply . is DNSKEY keytag 54393, algo 8
  May  5 23:37:31 dnsmasq[7934]: 3 reply . is DNSKEY keytag 20326, algo 8
  May  5 23:37:31 dnsmasq[7934]: 3 reply . is DNSKEY keytag 38696, algo 8
  May  5 23:37:31 dnsmasq[7934]: 2 reply de is DS for keytag 26755, algo 8, digest 2
  May  5 23:37:31 dnsmasq[7934]: 4 dnssec-query[DS] zeit.de to 188.246.0.34
  May  5 23:37:31 dnsmasq[7934]: 5 dnssec-query[DNSKEY] de to 188.246.0.34
  May  5 23:37:31 dnsmasq[7934]: 5 reply de is DNSKEY keytag 33834, algo 8
  May  5 23:37:31 dnsmasq[7934]: 5 reply de is DNSKEY keytag 32911, algo 8
  May  5 23:37:31 dnsmasq[7934]: 5 reply de is DNSKEY keytag 26755, algo 8
  May  5 23:37:31 dnsmasq[7934]: 1 192.0.2.2/48096 validation zeit.de is BOGUS (EDE: DNSKEY missing)

  May  5 23:38:22 dnsmasq[7967]: DNSSEC validation enabled
  May  5 23:38:22 dnsmasq[7967]: configured with trust anchor for <root> keytag 38696
  May  5 23:38:22 dnsmasq[7967]: configured with trust anchor for <root> keytag 20326
  May  5 23:38:22 dnsmasq[7967]: using nameserver 8.8.8.8#53
  May  5 23:38:22 dnsmasq[7967]: read /etc/hosts - 9 names
  May  5 23:38:22 dnsmasq[7967]: read /etc/hosts.local - 15 names
  May  5 23:38:26 dnsmasq[7967]: 1 192.0.2.2/56092 query[A] zeit.de from 192.0.2.2
  May  5 23:38:26 dnsmasq[7967]: 1 192.0.2.2/56092 forwarded zeit.de to 8.8.8.8
  May  5 23:38:26 dnsmasq[7967]: 2 dnssec-query[DS] de to 8.8.8.8
  May  5 23:38:26 dnsmasq[7967]: 3 dnssec-query[DNSKEY] . to 8.8.8.8
  May  5 23:38:26 dnsmasq[7967]: 3 reply . is DNSKEY keytag 20326, algo 8
  May  5 23:38:26 dnsmasq[7967]: 3 reply . is DNSKEY keytag 38696, algo 8
  May  5 23:38:26 dnsmasq[7967]: 3 reply . is DNSKEY keytag 54393, algo 8
  May  5 23:38:26 dnsmasq[7967]: 2 reply de is DS for keytag 26755, algo 8, digest 2
  May  5 23:38:26 dnsmasq[7967]: 4 dnssec-query[DS] zeit.de to 8.8.8.8
  May  5 23:38:26 dnsmasq[7967]: 4 dnssec-retry[DS] zeit.de to 8.8.8.8
  May  5 23:38:26 dnsmasq[7967]: 4 reply zeit.de is SERVFAIL
  May  5 23:38:26 dnsmasq[7967]: 1 192.0.2.2/56092 validation zeit.de is BOGUS (EDE: RRSIG missing)
  May  5 23:39:13 dnsmasq[7967]: 5 192.0.2.2/44956 query[A] spiegel.de from 192.0.2.2
  May  5 23:39:13 dnsmasq[7967]: 5 192.0.2.2/44956 forwarded spiegel.de to 8.8.8.8
  May  5 23:39:13 dnsmasq[7967]: 5 192.0.2.2/44956 validation spiegel.de is BOGUS (EDE: DNSSEC bogus)
  May  5 23:39:13 dnsmasq[7967]: 5 192.0.2.2/44956 reply error is SERVFAIL (EDE: DNSSEC bogus)

I have no idea, as you see, maybe this is a large scale DNS
poisoning thing, or what do i know, maybe someone is sitting in
the middle and doing regardless, but otherwise i would wonder, why
8.8.8.8 stores bogus data, for example?
The server runs AlpineLinux/musl, this box CRUX/glibc.
I still get

  May  5 23:42:22 dnsmasq[7967]: 9 reply eu is DNSKEY keytag 53394, algo 8
  May  5 23:42:22 dnsmasq[7967]: 8 reply sdaoden.eu is no DS
  May  5 23:42:22 dnsmasq[7967]: 6 192.0.2.2/28792 validation result is INSECURE
  May  5 23:42:22 dnsmasq[7967]: 6 192.0.2.2/28792 reply vpn.sdaoden.eu is NODATA-IPv6
  May  5 23:42:22 dnsmasq[7967]: 10 192.0.2.2/23228 query[DS] eu from 192.0.2.2
  May  5 23:42:22 dnsmasq[7967]: 10 192.0.2.2/23228 forwarded eu to 8.8.8.8
  May  5 23:42:22 dnsmasq[7967]: 10 192.0.2.2/23228 validation result is SECURE
  May  5 23:42:22 dnsmasq[7967]: 10 192.0.2.2/23228 reply eu is <DS> (DNSSEC signed)
  May  5 23:42:23 dnsmasq[7967]: 11 192.0.2.2/57337 query[DNSKEY] . from 192.0.2.2
  May  5 23:42:23 dnsmasq[7967]: 11 192.0.2.2/57337 forwarded . to 8.8.8.8
  May  5 23:42:23 dnsmasq[7967]: 11 192.0.2.2/57337 validation result is SECURE
  May  5 23:42:23 dnsmasq[7967]: 11 192.0.2.2/57337 reply . is <DNSKEY> (DNSSEC signed)
  May  5 23:42:23 dnsmasq[7967]: 12 192.0.2.2/36826 query[DS] sdaoden.eu from 192.0.2.2
  May  5 23:42:23 dnsmasq[7967]: 12 192.0.2.2/36826 forwarded sdaoden.eu to 8.8.8.8
  May  5 23:42:23 dnsmasq[7967]: 12 192.0.2.2/36826 validation result is SECURE
  May  5 23:42:23 dnsmasq[7967]: 12 192.0.2.2/36826 reply sdaoden.eu is NODATA (DNSSEC signed)
  May  5 23:42:23 dnsmasq[7967]: 13 192.0.2.2/35731 query[DNSKEY] eu from 192.0.2.2
  May  5 23:42:23 dnsmasq[7967]: 13 192.0.2.2/35731 forwarded eu to 8.8.8.8
  May  5 23:42:23 dnsmasq[7967]: 13 192.0.2.2/35731 validation result is SECURE
  May  5 23:42:23 dnsmasq[7967]: 13 192.0.2.2/35731 reply eu is <DNSKEY> (DNSSEC signed)

I thought i reenable subscription and report it, fwiw.
Ridiculous or not.

Ciao.

P.S.: (i had subscribed in the past to say thanks! without any
money, what i did, and to ask for "authoritative" settings in
a dhcp-hostsfile, so that for example IPv6 is no longer tried if
therein is an entry.  Thank you.)

--steffen
|
|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)

More information about the Dnsmasq-discuss mailing list