惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Schneier on Security
Schneier on Security
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Attack and Defense Labs
Attack and Defense Labs
H
Hacker News: Front Page
Google DeepMind News
Google DeepMind News
雷峰网
雷峰网
C
CXSECURITY Database RSS Feed - CXSecurity.com
Cisco Talos Blog
Cisco Talos Blog
T
Tenable Blog
G
Google Developers Blog
A
About on SuperTechFans
The Cloudflare Blog
S
Securelist
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
C
Cisco Blogs
H
Hackread – Cybersecurity News, Data Breaches, AI and More
aimingoo的专栏
aimingoo的专栏
云风的 BLOG
云风的 BLOG
Forbes - Security
Forbes - Security
腾讯CDC
Application and Cybersecurity Blog
Application and Cybersecurity Blog
V
Vulnerabilities – Threatpost
IT之家
IT之家
博客园_首页
P
Proofpoint News Feed
P
Privacy & Cybersecurity Law Blog
C
Cyber Attacks, Cyber Crime and Cyber Security
Project Zero
Project Zero
月光博客
月光博客
NISL@THU
NISL@THU
爱范儿
爱范儿
S
Secure Thoughts
K
Kaspersky official blog
Security Latest
Security Latest
T
Tailwind CSS Blog
博客园 - Franky
D
Darknet – Hacking Tools, Hacker News & Cyber Security
TaoSecurity Blog
TaoSecurity Blog
The GitHub Blog
The GitHub Blog
Microsoft Azure Blog
Microsoft Azure Blog
B
Blog RSS Feed
S
SegmentFault 最新的问题
H
Help Net Security
T
Tor Project blog
L
LINUX DO - 热门话题
S
Security @ Cisco Blogs
N
News and Events Feed by Topic
O
OpenAI News
S
Schneier on Security

dnsmasq-discuss

[Dnsmasq-discuss] Announce: dnsmasq-2.92rc2 Re: [Dnsmasq-discuss] [PATCH] Fix arguments order for chaos subdomain check Re: [Dnsmasq-discuss] patch: block-file/allow-file - for review/feedback Re: [Dnsmasq-discuss] patch: block-file/allow-file - for review/feedback Re: [Dnsmasq-discuss] patch: block-file/allow-file - for review/feedback Re: [Dnsmasq-discuss] patch: block-file/allow-file - for review/feedback [Dnsmasq-discuss] patch: block-file/allow-file - for review/feedback Re: [Dnsmasq-discuss] server= with interface parameter changes behavior over time [Dnsmasq-discuss] NFTsets and hosts-files [Dnsmasq-discuss] [PATCH] Fix local host records being overridden by upstream NXDOMAIN [Dnsmasq-discuss] [PATCH] Fix arguments order for chaos subdomain check Re: [Dnsmasq-discuss] Malformed RRSIG Can Crash dnsmasq [Dnsmasq-discuss] Malformed NSEC/NSEC3 Can Hang dnsmasq [Dnsmasq-discuss] Malformed RRSIG Can Crash dnsmasq [Dnsmasq-discuss] Security - IMPORTANT Re: [Dnsmasq-discuss] Issue with circuit-id matching on dhcp requests Re: [Dnsmasq-discuss] Issue with circuit-id matching on dhcp requests Re: [Dnsmasq-discuss] Issue with circuit-id matching on dhcp requests [Dnsmasq-discuss] Issue with circuit-id matching on dhcp requests Re: [Dnsmasq-discuss] [PATCH] bpf.c: fix memory leak in arp_enumerate() on BSD Re: [Dnsmasq-discuss] [PATCH] bpf.c: fix memory leak in arp_enumerate() on BSD Re: [Dnsmasq-discuss] dnssec problem here and now Re: [Dnsmasq-discuss] dnssec problem here and now [Dnsmasq-discuss] dnssec problem here and now Re: [Dnsmasq-discuss] server= with interface parameter changes behavior over time Re: [Dnsmasq-discuss] [PATCH] bpf.c: fix memory leak in arp_enumerate() on BSD Re: [Dnsmasq-discuss] [PATCH] bpf.c: fix memory leak in arp_enumerate() on BSD Re: [Dnsmasq-discuss] [PATCH] Preserve existing log file permissions when adding group-write bit. [Dnsmasq-discuss] server= with interface parameter changes behavior over time [Dnsmasq-discuss] [PATCH] bpf.c: fix memory leak in arp_enumerate() on BSD Re: [Dnsmasq-discuss] [PATCH] Preserve existing log file permissions when adding group-write bit. Re: [Dnsmasq-discuss] [BUG] SIGSEGV when parsing invalid "--interface-name" or "--dynamic-host" options Re: [Dnsmasq-discuss] Suggestion to increase default for max-tcp-connections [Dnsmasq-discuss] server priority clarification after e86d53c [Dnsmasq-discuss] [BUG] SIGSEGV when parsing invalid "--interface-name" or "--dynamic-host" options [Dnsmasq-discuss] Suggestion to increase default for max-tcp-connections Re: [Dnsmasq-discuss] [PATCH] Preserve existing log file permissions when adding group-write bit. [Dnsmasq-discuss] [Bug] Heap buffer overflow in cache_recv_insert() due to pipe de-synchronization Re: [Dnsmasq-discuss] Regression/Feature Request for 2.92 Re: [Dnsmasq-discuss] [PATCH] DHCPv6 network range is not checked well with dhcp-sequential-ip [Dnsmasq-discuss] [Bug] Buffer underflow in hostname_issubdomain() [Dnsmasq-discuss] [PATCH] Don't penalize conditional forwarders for REFUSED responses [Dnsmasq-discuss] BUG:Heap buffer overflow in src/forward.c due to incorrect pointer arithmetic (CWE-122) Re: [Dnsmasq-discuss] Regression/Feature Request for 2.92 Re: [Dnsmasq-discuss] Regression/Feature Request for 2.92 Re: [Dnsmasq-discuss] Regression/Feature Request for 2.92 Re: [Dnsmasq-discuss] Potential privacy issue: filter-rr inefficiency Re: [Dnsmasq-discuss] TCP optimization regressions Re: [Dnsmasq-discuss] Bug: Null pointer dereference in domain-match.c at line 82 (dnsmasq 2.92test21-1-gee09f06) [Dnsmasq-discuss] [PATCH] ubus: add lease management methods [Dnsmasq-discuss] Regression/Feature Request for 2.92 [Dnsmasq-discuss] cotillon por mayor [Dnsmasq-discuss] Por Qué el Alquiler de Plataformas Elevadoras es la Clave del Éxito para Tu Empresa Re: [Dnsmasq-discuss] [PATCH] dnsmasq: failed to create inotify for /etc/resolv.conf: No space left on device [Dnsmasq-discuss] Bug: Null pointer dereference in domain-match.c at line 82 (dnsmasq 2.92test21-1-gee09f06) [Dnsmasq-discuss] TCP optimization regressions Re: [Dnsmasq-discuss] [PATCH] dnsmasq: failed to create inotify for /etc/resolv.conf: No space left on device Re: [Dnsmasq-discuss] dnsmasq 2.92 build-error against Nettle 4.0 Re: [Dnsmasq-discuss] dnsmasq 2.92 build-error against Nettle 4.0 Re: [Dnsmasq-discuss] dnsmasq 2.92 build-error against Nettle 4.0 [Dnsmasq-discuss] dnsmasq 2.92 build-error against Nettle 4.0 [Dnsmasq-discuss] Potential privacy issue: filter-rr inefficiency Re: [Dnsmasq-discuss] Bug with NS records when using dnsmasq as authoritative nameserver without specific auth-interface Re: [Dnsmasq-discuss] Bug with NS records when using dnsmasq as authoritative nameserver without specific auth-interface Re: [Dnsmasq-discuss] segfault with an empty OPTION_SNAME [Dnsmasq-discuss] Bug with NS records when using dnsmasq as authoritative nameserver without specific auth-interface Re: [Dnsmasq-discuss] segfault with an empty OPTION_SNAME [Dnsmasq-discuss] segfault with an empty OPTION_SNAME Re: [Dnsmasq-discuss] Shut down caused by device request address. Re: [Dnsmasq-discuss] Shut down caused by device request address. Re: [Dnsmasq-discuss] Shut down caused by device request address. [Dnsmasq-discuss] Shut down caused by device request address. [Dnsmasq-discuss] [PATCH] dnsmasq: failed to create inotify for /etc/resolv.conf: No space left on device Re: [Dnsmasq-discuss] dnsmasq with high availability and dynamic range [Dnsmasq-discuss] dnsmasq with high availability and dynamic range [Dnsmasq-discuss] PATCH] PXE boot server (PXEBS) responses broken in 2.92 — missing else in dhcp.c [Dnsmasq-discuss] PATCH] PXE boot server (PXEBS) responses broken in 2.92 — missing else in dhcp.c [Dnsmasq-discuss] Potential memory leak Re: [Dnsmasq-discuss] Incorrect SERVFAIL on dnssec and rivcoed.org. domain [Dnsmasq-discuss] Announce: dnsmasq-2.92 Re: [Dnsmasq-discuss] dnsmasq does not forward requests with no default route is set [Dnsmasq-discuss] DNSSEC validation fails for wildcard subdomains [Dnsmasq-discuss] Add an option to not always add a pseudo header? Re: [Dnsmasq-discuss] Announce: 2.92.rc1, rc3 & patches overseen Re: [Dnsmasq-discuss] Portable PXE boot appliance [Dnsmasq-discuss] Portable PXE boot appliance Re: [Dnsmasq-discuss] Question about IPv6 settings [Dnsmasq-discuss] Incorrect SERVFAIL on dnssec and rivcoed.org. domain [Dnsmasq-discuss] Question about IPv6 settings Re: [Dnsmasq-discuss] iPhone 17 Pro Max DHCP not working [Dnsmasq-discuss] iPhone 17 Pro Max DHCP not working Re: [Dnsmasq-discuss] [PATCH 0/3] Announce: 2.92.rc1 [Dnsmasq-discuss] [PATCH 0/3] Announce: 2.92.rc1 [Dnsmasq-discuss] [PATCH 3/3] Fix some issues with the swedish manual page, some causing lintian warnings [Dnsmasq-discuss] [PATCH2/3] Fix typos in the english manual page [Dnsmasq-discuss] [PATCH 1/3] Remove trailing white space from dnsmasq.conf.example [Dnsmasq-discuss] Announce: 2.92.rc1 [Dnsmasq-discuss] dnsmasq rejects TCP queries originating from Kubernetes pods Re: [Dnsmasq-discuss] Git: Is first dhcp.c address_available() for/if code correct? [Dnsmasq-discuss] [PATCH dnsmasq 1/1] fix SIGSEGV in dbus.c when no dhcp-range is configured
[Dnsmasq-discuss] [PATCH] Allow expired RRSIGs when stale caching is enabled
Dominik Derigs · 2026-05-16 · via dnsmasq-discuss
Hi Simon,

Pi-hole enables use-stale-cache by default to reduce DNS latency for clients - they get an instant stale answer while dnsmasq refreshes in the background.

When this feature is combined with DNSSEC validation and a caching upstream resolver like unbound (Pi-hole + local unbound is a very popular combination), use-stale-cache creates a problematic interaction with RRSIG timestamp checking:

1. Unbound caches a response with its RRSIGs at time T and validates them (RRSIGs are valid at that point) 2. Later, dnsmasq queries unbound; unbound returns the cached response whose RRSIG has since expired 3. validate_rrset() finds sig_expiration < curtime, skips all signatures, and returns BOGUS with EDE "signature expired" (7) 4. Every concurrent query for that domain fails until unbound refreshes its cache

Popular resolvers like unbound enable serve-expired with no time limit by default, so RRSIGs can be days past their expiration timestamp by the time dnsmasq sees them. In various user submitted logs (no telemetry, they have to opt-in sending them so we help them solving issues easier) we often saw bursts of dozens of BOGUS results across many DNSSEC-signed domains (slack.com, startpage.com, paypal.com, computer-bild.de, ...) with the same EDE code 7, all clearing up after a few seconds once the upstream cache refreshes. During the failure window the domains are completely unreachable for clients.

The core tension is that use-stale-cache deliberately trades freshness for availability on the data plane (is_expired() in cache.c serves stale records past their TTL), but the RRSIG timestamp check in validate_rrset() enforces strict freshness on the validation plane. When a caching upstream sits between dnsmasq and the authoritative servers, these two policies conflict - enforcing strict RRSIG freshness on top of deliberately stale data is contradictory.

I have been able to confirm this issue myself easily with such a local unbound setup (serve-expired with no time limit). The key is that you have to visit a website that is DNSSEC protected but which you don't visit usually. Then visit it once (saves it in unbound's cache), do other things for two days, then visit it again. You will then observe what I described here. My own observations showed RRSIGs expiration ages range from ~25,000s (~7h) to ~40,000s (~11h). I first considered us using our stale timeout setting in dnsmasq but reality proved that this was insufficient as the external resolvers may give us RRSIGs which are much older.

The attached patch resolves this intermittent error by skipping the RRSIG expiration timestamp check when use-stale-cache is enabled (cache_max_expiry != 0). The actual cryptographic signature check still runs in full - only the timestamp gate is relaxed. When stale caching is disabled (the default), behaviour is completely unchanged. Hence, this patch should make the dnsmasq DNSSEC implementation only more consistent, but not weaker.

Cheers,
Dominik
From 26c83adc4815e46d64b982105d74968dd9796d2d Mon Sep 17 00:00:00 2001
From: Dominik <[email protected]>
Date: Mon, 6 Apr 2026 11:07:18 +0200
Subject: [PATCH] Allow expired RRSIGs when stale caching is enabled.

When dnsmasq forwards to a caching validating resolver (e.g. unbound
with serve-expired), the upstream may return responses from its cache
whose RRSIGs have expired since being cached - the upstream validated
them when they were fresh, but by the time dnsmasq re-validates, the
signatures have passed their expiration timestamp.

This causes intermittent DNSSEC BOGUS failures (EDE: "signature
expired") that clear up once the upstream refreshes its cache.

Pi-hole enables use-stale-cache by default to reduce DNS latency for
clients - they get an instant stale answer while dnsmasq refreshes in
the background. Combined with DNSSEC validation and a caching upstream
like unbound, this creates a window where every query for a DNSSEC-
signed domain fails BOGUS until the upstream cache refreshes. Popular
resolvers like unbound enable serve-expired with no time limit by
default, so RRSIGs can be days past expiration by the time dnsmasq
sees them.

When use-stale-cache is enabled, skip the RRSIG expiration timestamp
check entirely. The signature still receives full cryptographic
verification - only the timestamp gate is relaxed. This is consistent
with the existing stale cache design: is_expired() in cache.c already
serves stale data records past their TTL, so enforcing strict RRSIG
freshness on top of deliberately stale data is contradictory.

When stale caching is disabled (cache_max_expiry == 0), behaviour is
completely unchanged.

Signed-off-by: Dominik <[email protected]>
---
 src/dnssec.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/src/dnssec.c b/src/dnssec.c
index b6e5502..c575713 100644
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -514,7 +514,17 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in
 	    failflags &= ~DNSSEC_FAIL_NYV;
 	  
 	  if (serial_compare_32(curtime, sig_expiration) == SERIAL_GT)
-	    continue;
+	    {
+	      /* When stale caching is enabled, skip the RRSIG expiration check.
+		 A caching forwarder (e.g. unbound with serve-expired) may return
+		 responses whose RRSIGs expired long ago but were valid when
+		 originally cached upstream. The signature still gets full
+		 cryptographic verification - only the timestamp gate is relaxed. */
+	      if (daemon->cache_max_expiry != 0)
+		failflags &= ~DNSSEC_FAIL_EXP;
+	      else
+		continue;
+	    }
 	  else
 	    failflags &= ~DNSSEC_FAIL_EXP;
 	}
-- 
2.43.0

_______________________________________________
Dnsmasq-discuss mailing list
[email protected]
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss