On 12.12.2025 19:29, Petr Menšík via Dnsmasq-discuss wrote:
There is created pihole issue for in fact dnsmasq problem:
https://github.com/pi-hole/FTL/issues/2737
dnsmasq fails where both unbound and bind9 pass the verification as
insecure. The problem is that domain has incorrect owner name in RRSIG:
cloudflare.net.
I will try to create patch sometime around christmas, but just wanted to
make it known. Somebody might be faster. Verified it happens on last
released dnsmasq. Have not tried last git, but expect that is affected
as well.
it is okay by other implementations:
delv rivcoed.org.
unbound-host -rvDt A rivcoed.org.
I think because rivcoed.org. DS record is not present anyway, signature
does not need to be checked in this case. dnsmasq fails too early.
I agree, Another of those cases where making the code work made it
simpler and cleaner too.
https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=1269f074f86bb959863012063060a3a082d37dc4
Cheers,
Simon.
Cheers,
Petr
_______________________________________________
Dnsmasq-discuss mailing list
[email protected]
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
