Hi, Not sure where the problem is... maybe others can reproduce this.
When using bugs.gentoo.org with dnsmasq and dnssec enabled, I cannot access attachments. The attachments are forwarded to a CNAME, for example: --- 546330.bugs.gentoo.org. 60 IN CNAME bugs-gossamer.gentoo.org. bugs-gossamer.gentoo.org. 300 IN CNAME gannet.gentoo.org. gannet.gentoo.org. 604800 IN A 204.187.15.4 --- When trying to access without dnssec all is ok: --- Apr 21 20:19:04 [dnsmasq] query[A] 546330.bugs.gentoo.org from 127.0.0.1 Apr 21 20:19:04 [dnsmasq] forwarded 546330.bugs.gentoo.org to 192.168.1.1 Apr 21 20:19:04 [dnsmasq] validation result is INSECURE Apr 21 20:19:04 [dnsmasq] reply 546330.bugs.gentoo.org is <CNAME> Apr 21 20:19:04 [dnsmasq] reply bugs-gossamer.gentoo.org is <CNAME> Apr 21 20:19:04 [dnsmasq] reply gannet.gentoo.org is 204.187.15.4 --- When trying to access with dnssec, notice the "validation result is BOGUS", no result is returned: --- Apr 21 20:09:33 [dnsmasq] query[A] 546330.bugs.gentoo.org from 127.0.0.1 Apr 21 20:09:33 [dnsmasq] forwarded 546330.bugs.gentoo.org to 10.38.5.26 Apr 21 20:09:33 [dnsmasq] dnssec-query[DNSKEY] gentoo.org to 10.38.5.26 Apr 21 20:09:33 [dnsmasq] dnssec-query[DS] gentoo.org to 10.38.5.26 Apr 21 20:09:33 [dnsmasq] dnssec-query[DNSKEY] org to 10.38.5.26 Apr 21 20:09:33 [dnsmasq] dnssec-query[DS] org to 10.38.5.26 Apr 21 20:09:33 [dnsmasq] dnssec-query[DNSKEY] . to 10.38.5.26 Apr 21 20:09:33 [dnsmasq] reply . is DNSKEY keytag 19036 Apr 21 20:09:33 [dnsmasq] reply . is DNSKEY keytag 48613 Apr 21 20:09:33 [dnsmasq] reply org is DS keytag 21366 - Last output repeated twice - Apr 21 20:09:33 [dnsmasq] reply org is DNSKEY keytag 3213 Apr 21 20:09:33 [dnsmasq] reply org is DNSKEY keytag 21366 Apr 21 20:09:33 [dnsmasq] reply org is DNSKEY keytag 9795 Apr 21 20:09:33 [dnsmasq] reply org is DNSKEY keytag 34023 Apr 21 20:09:33 [dnsmasq] reply gentoo.org is DS keytag 46873 - Last output repeated twice - Apr 21 20:09:33 [dnsmasq] reply gentoo.org is DNSKEY keytag 52980 Apr 21 20:09:33 [dnsmasq] reply gentoo.org is DNSKEY keytag 46873 Apr 21 20:09:33 [dnsmasq] validation result is BOGUS Apr 21 20:09:33 [dnsmasq] reply 546330.bugs.gentoo.org is <CNAME> Apr 21 20:09:33 [dnsmasq] reply bugs-gossamer.gentoo.org is <CNAME> Apr 21 20:09:33 [dnsmasq] reply gannet.gentoo.org is 204.187.15.4 --- Maybe it is local issue of the dns I am using (I have no access to it), but maybe there is a issue at infra. Regards, Alon Bar-Lev.