Dear list members, to my understanding, dnsmasq should not return any valid records for BOGUS domains. However, using Cloudflare (1.1.1.1 / 1.0.0.1) as upstream, I see a domains being validated as BOGUS in the log, however, the A query still succeeds and the client receives valid IP addresses. I'm using dnsmasq v2.80.
Corresponding log excerpt: Mar 1 12:07:43 dnsmasq[28682]: query[A] www.vp4.navy.mil from 192.168.0.135 Mar 1 12:07:43 dnsmasq[28682]: forwarded www.vp4.navy.mil to 1.0.0.1 Mar 1 12:07:43 dnsmasq[28682]: dnssec-query[DS] mil to 1.0.0.1 Mar 1 12:07:43 dnsmasq[28682]: reply mil is DS keytag 59896, algo 8, digest 2 Mar 1 12:07:43 dnsmasq[28682]: reply mil is DS keytag 59896, algo 8, digest 1 Mar 1 12:07:43 dnsmasq[28682]: dnssec-query[DS] navy.mil to 1.0.0.1 Mar 1 12:07:43 dnsmasq[28682]: dnssec-query[DNSKEY] mil to 1.0.0.1 Mar 1 12:07:43 dnsmasq[28682]: reply mil is DNSKEY keytag 59896, algo 8 Mar 1 12:07:43 dnsmasq[28682]: reply mil is DNSKEY keytag 10428, algo 8 Mar 1 12:07:43 dnsmasq[28682]: reply mil is DNSKEY keytag 15450, algo 8 Mar 1 12:07:43 dnsmasq[28682]: reply navy.mil is DS keytag 33826, algo 8, digest 2 Mar 1 12:07:43 dnsmasq[28682]: reply navy.mil is DS keytag 33826, algo 8, digest 1 Mar 1 12:07:43 dnsmasq[28682]: dnssec-query[DS] vp4.navy.mil to 1.0.0.1 Mar 1 12:07:43 dnsmasq[28682]: Insecure DS reply received, do upstream DNS servers support DNSSEC? Mar 1 12:07:43 dnsmasq[28682]: reply vp4.navy.mil is BOGUS DS Mar 1 12:07:43 dnsmasq[28682]: validation www.vp4.navy.mil is BOGUS Mar 1 12:07:43 dnsmasq[28682]: reply www.vp4.navy.mil is <CNAME> Mar 1 12:07:43 dnsmasq[28682]: reply open-elb-prod-277276106.us-east-1.elb.amazonaws.com is 34.196.13.230 Mar 1 12:07:43 dnsmasq[28682]: reply open-elb-prod-277276106.us-east-1.elb.amazonaws.com is 52.0.22.76 Is this intended behavior? Best regards, Dominik _______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
