On Tue, Dec 30, 2025 at 07:44:39PM +0100, Jan Breig via Dnsmasq-discuss wrote: > Hello, > > I have set up a wildcard DNS CNAME record `*.b.c.pygos.space`.
Ack > When using dnsmasq with DNSSEC validation enabled, a query to this wildcard > causes a SERVFAIL. > Queries to explicit subdomains that the wildcard resolves to are successful. Acknowledge on that observation. > Steps to reproduce: > > 1. Setup dnsmasq > /etc/dnsmasq.conf > ----------------------------------------------- > conf-file=/usr/share/dnsmasq/trust-anchors.conf > dnssec > ----------------------------------------------- > > 2. Start dnsmasq > # dnsmasq -d --dnssec > > 3. Request an explicit subdomain > # dig a.b.c.pygos.space @127.0.0.1 > -> works > > 4. Request the wildcard subdomain itself > # dig *.b.c.pygos.space @127.0.0.1 > -> fails with SERVFAIL (NSEC Missing) > > 5. Request the wildcard subdomain with another resolver > # dig *.b.c.pygos.space @1.1.1.1 > -> works Please elaborate the "-> works". For better discussion, this is what is seen by me: |$ dig *.b.c.pygos.space @1.1.1.1 | |; <<>> DiG 9.20.1-1-Debian <<>> *.b.c.pygos.space @1.1.1.1 |;; global options: +cmd |;; Got answer: |;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39580 |;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 | |;; OPT PSEUDOSECTION: |; EDNS: version: 0, flags:; udp: 1232 |;; QUESTION SECTION: |;*.b.c.pygos.space. IN A | |;; ANSWER SECTION: |*.b.c.pygos.space. 300 IN CNAME pygos.space. |pygos.space. 60 IN A 46.167.27.232 | |;; Query time: 40 msec |;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP) |;; WHEN: Wed Dec 31 09:43:09 CET 2025 |;; MSG SIZE rcvd: 76 | |$ > I experienced this bug when using pihole. Related bug: > https://github.com/pi-hole/FTL/issues/2751 Which has recent update that nicely asks What is being expected? > Best regards, > Jan Breig Groeten Geert Stappers -- Silence is hard to parse _______________________________________________ Dnsmasq-discuss mailing list [email protected] https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
