Hey Simon, I was assuming dnsmasq was sending the address to the client as it was able to resolve the page (as in able to access it). However, this could very well have been caused by the client sending out multiple queries and at least one of the were answered with IPs.
This seems to be the exact situation DNSSEC was created for. CloudFlare is trying to provide information that is not accurate and should be flagged BOGUS so there is no dnsmasq bug here. Maybe logging was a bit misleading but I should have paid more attention to the replies to the client. Thanks! Best regards, Dominik On Fri, 2019-03-01 at 21:01 +0000, Simon Kelley wrote: > On 01/03/2019 20:33, Simon Kelley wrote: > > > What's worrying is that Cloudflare and Google are both quite happy that > > the answer is _not_ bogus, but dnsmasq thinks it is. I shall poke around > > some more to try and understand that. > > > > > > > > Answering myself, this appears to be a cloudflare bug, which I've seen > before. Sometimes the Cloudflare servers give a correct answer to a > query for a DS record at vp4.navy.mil with proof that such a record > doesn't exist _______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss