Re: [Dnsmasq-discuss] DNSSEC validation fails for wildcard subdomains

Jan Breig via Dnsmasq-discuss Thu, 01 Jan 2026 05:19:59 -0800

Hello,
sure.

Am 31.12.25 um 11:04 schrieb Geert Stappers:
>  
>> Steps to reproduce:
>>
>> 1. Setup dnsmasq
>> /etc/dnsmasq.conf
>> -----------------------------------------------
>> conf-file=/usr/share/dnsmasq/trust-anchors.conf
>> dnssec
>> -----------------------------------------------
>>
>> 2. Start dnsmasq
>> # dnsmasq -d --dnssec
>>
>> 3. Request an explicit subdomain
>> # dig a.b.c.pygos.space @127.0.0.1
>> -> works


; <<>> DiG 9.18.42 <<>> a.b.c.pygos.space @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8076
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;a.b.c.pygos.space.             IN      A

;; ANSWER SECTION:
a.b.c.pygos.space.      191     IN      CNAME   pygos.space.
pygos.space.            29      IN      A       217.147.48.9

;; Query time: 236 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Thu Jan 01 13:48:44 CET 2026
;; MSG SIZE  rcvd: 76

>>
>> 4. Request the wildcard subdomain itself
>> # dig *.b.c.pygos.space @127.0.0.1
>> -> fails with SERVFAIL (NSEC Missing)

; <<>> DiG 9.18.42 <<>> *.b.c.pygos.space @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 48479
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; EDE: 12 (NSEC Missing)
;; QUESTION SECTION:
;*.b.c.pygos.space.             IN      A

;; Query time: 76 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Thu Jan 01 13:48:14 CET 2026
;; MSG SIZE  rcvd: 52

>>
>> 5. Request the wildcard subdomain with another resolver
>> # dig *.b.c.pygos.space @1.1.1.1
>> -> works

; <<>> DiG 9.18.42 <<>> *.b.c.pygos.space @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6838
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;*.b.c.pygos.space.             IN      A

;; ANSWER SECTION:
*.b.c.pygos.space.      300     IN      CNAME   pygos.space.
pygos.space.            60      IN      A       217.147.48.9

;; Query time: 51 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Thu Jan 01 13:48:30 CET 2026
;; MSG SIZE  rcvd: 76

> 
>> I experienced this bug when using pihole. Related bug:
>> https://github.com/pi-hole/FTL/issues/2751
> 
> Which has recent update that nicely asks
> 
>     What is being expected?
> 

Dnsmasq should not fail with SERVFAIL in step 4 but return the result like 
other resolvers do.

The CNAME record is just for testing purposes. I created it to reproduce the 
SERVFAIL.

Best regards,
Jan Breig

_______________________________________________
Dnsmasq-discuss mailing list
[email protected]
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] DNSSEC validation fails for wildcard subdomains

Reply via email to