A classic bug caused by the user (you) doing something the coder (me)
didn't expect :)
I just pushed 2.93test8 to git and the test-releases directory on
thekelleys.org.uk The relevant commit is
https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=5be5dc1f16143222f104f3d33cedb6a77e9f182d
Now if there's no configured upstream server for the parent domain of a
domain-specific server (ie in this case for the root) then dnsmasq will
treat that as a reason to assume that the domain-specific server's
domain (ie internal) is not signed.
After removing 8.8.8.8 as you suggest, it now Works For Me.
Cheers,
Simon.
On 19.03.2026 02:00, [email protected] wrote:
In my case the dnsmasq has no connection to any public DNS Server to perform DS
Validation Remove this: dnsmasq: using nameserver 8.8.8.8#53 ) and test again
But even with no connection resolving local domains and unqualified domains via
the external server should work.--
Secured with Tuta Mail:
https://tuta.com/free-email
Mar 17, 2026, 22:05 by [email protected]:
The relevant changes and the rationale for making them is at
https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=57f0489f384193f7c962fb2a20c9e2e867f86039
I just did a simple test that looks analogous to what you're doing, and it all
worked as expected.
dnsmasq: DNSSEC validation enabled
dnsmasq: configured with trust anchor for <root> keytag 20326
dnsmasq: using nameserver 127.0.0.1#10002 for domain internal
dnsmasq: using nameserver 8.8.8.8#53
dnsmasq: read /etc/hosts - 10 names
dnsmasq: query[A] simon.internal from ::1
dnsmasq: forwarded simon.internal to 127.0.0.1#10002
dnsmasq: dnssec-query[DS] internal to 8.8.8.8
dnsmasq: dnssec-query[DNSKEY] . to 8.8.8.8
dnsmasq: reply . is DNSKEY keytag 21831, algo 8
dnsmasq: reply . is DNSKEY keytag 38696, algo 8
dnsmasq: reply . is DNSKEY keytag 20326, algo 8
dnsmasq: Negative DS reply without NS record received for internal, assuming
non-DNSSEC domain-specific server.
dnsmasq: reply internal is no DS
dnsmasq: validation result is INSECURE
dnsmasq: reply simon.internal is 1.2.3.4
So there's something that's in your setup but not mine that I didn't think of.
As a start, please could you enable log-queries and run the test again, then
post the resulting log.
Cheers,
Simon.
On 11.03.2026 06:19, Rodolfo Silva via Dnsmasq-discuss wrote:
Dears,
i use a customs dnsmasq confirguration in which dnsmasq uses my local DNS
Server for unqualified hostnames and hostnames with custom domain dw.internal
Configuration looks like this:
# Add other name servers here, with domain specs if they are for
# non-public domains.
servers-file=/var/run/NetworkManager/local-net-dns-servers.conf
/var/run/NetworkManager/local-net-dns-servers.conf
server=/dw.internal/10.24.64.3@eth0
server=//10.24.64.3@eth0
i have DNSSEC Validation enabled, an now when querying a local hostname:
dig router1.dw.internal
dnsmasq tries to validate the response even if this local zone is not
signed.validation router1.dw.internal is ABANDONED
i fixed this by including trust-anchor=internal in the global dnsmasq.conf
But maybe we can AUTOMATICALLY exclude any custom non-public domain from
dsnssec validation?
If not possible , does the logic allow including the trust-anchor statement in
the servers-file ?
Prior v2.92 Validation for internal domain just went fine
Expecting any advise--
Secured with Tuta Mail:
https://tuta.com/free-email
_______________________________________________
Dnsmasq-discuss mailing list
[email protected]
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
_______________________________________________
Dnsmasq-discuss mailing list
[email protected]
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
