Simon Kelley wrote: > Robert Edmonds wrote: > >Robert Edmonds wrote: > >>so unbound forwarding to 4.2.2.1 works, but unbound forwarding to > >>dnsmasq which forwards to 4.2.2.1 does not work. so dnsmasq is not > >>fully transparent when forwarding between a validating forwarder and a > >>validating recursive nameserver. > > > >ugh, i meant "DNSSEC-conformant recursive nameserver" here, not > >"validating recursive nameserver". the level3 open recursives (4.2.2.X) > >don't perform validation. > > > > A quick query on the dnsmasq configuration in use here: is the > --domain-needed flag set in /etc/dnsmasq.conf? I think that's > causing the problem because the DS query for ".com" hits the filter. > There are already exceptions on this filter for SOA and NS queries, > the DNSSEC era requires that DS queries are added to that list. > > Assuming I've diagnosed this right, removing --domain-needed is a > quick and simple workaround.
from the man page: -D, --domain-needed Tells dnsmasq to never forward queries for plain names, without dots or domain parts, to upstream nameservers. If the name is not known from /etc/hosts or DHCP then a "not found" answer is returned. um, i think i know what a "plain name, without dots or domain parts" is, but dnsmasq is a DNS server and deals with wire-format domain names, right? does dnsmasq seriously respond with NXDOMAIN to queries for the wire-format name "\x03com\x00" (presentation format: "com.") because it has only a single label? that is beyond broken. -- Robert Edmonds edmo...@debian.org -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org