Hello, I have set up a wildcard DNS CNAME record `*.b.c.pygos.space`. When using dnsmasq with DNSSEC validation enabled, a query to this wildcard causes a SERVFAIL. Queries to explicit subdomains that the wildcard resolves to are successful.
Steps to reproduce: 1. Setup dnsmasq /etc/dnsmasq.conf ----------------------------------------------- conf-file=/usr/share/dnsmasq/trust-anchors.conf dnssec ----------------------------------------------- 2. Start dnsmasq # dnsmasq -d --dnssec 3. Request an explicit subdomain # dig a.b.c.pygos.space @127.0.0.1 -> works 4. Request the wildcard subdomain itself # dig *.b.c.pygos.space @127.0.0.1 -> fails with SERVFAIL (NSEC Missing) 5. Request the wildcard subdomain with another resolver # dig *.b.c.pygos.space @1.1.1.1 -> works I experienced this bug when using pihole. Related bug: https://github.com/pi-hole/FTL/issues/2751 Best regards, Jan Breig _______________________________________________ Dnsmasq-discuss mailing list [email protected] https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
