Robert Edmonds wrote:
Robert Edmonds wrote:
so unbound forwarding to 4.2.2.1 works, but unbound forwarding to
dnsmasq which forwards to 4.2.2.1 does not work. so dnsmasq is not
fully transparent when forwarding between a validating forwarder and a
validating recursive nameserver.
ugh, i meant "DNSSEC-conformant recursive nameserver" here, not
"validating recursive nameserver". the level3 open recursives (4.2.2.X)
don't perform validation.
A quick query on the dnsmasq configuration in use here: is the
--domain-needed flag set in /etc/dnsmasq.conf? I think that's causing
the problem because the DS query for ".com" hits the filter. There are
already exceptions on this filter for SOA and NS queries, the DNSSEC era
requires that DS queries are added to that list.
Assuming I've diagnosed this right, removing --domain-needed is a quick
and simple workaround.
Cheers,
Simon.
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
