Dnsmasq seems to have a bug where it will return an incorrect Bogus validation 
verdict for domains that in reality are Insecure. The bug does not appear to 
impact Secure domains, at least I have not observed that happening.

When the bug occurs, the error «Insecure DS reply received, do upstream DNS 
servers support DNSSEC?» is logged.

While the message imply there is something wrong with the upstream DNS server, 
I do not believe this to be the case, as the other resolvers I have tested 
(systemd-resolved, Unbound, Knot Resolver and PowerDNS Recursor) do not have 
any problems with it.

For what it's worth, the upstream DNS server does also perform DNSSEC 
validation on its own, it will for example refuse to look up dnssec-failed.org 
unless the Checking Disabled flag is set in the query and correctly set the AD 
flag when looking up Secure domains. It runs BIND 9.9.5-3ubuntu0.19-Ubuntu, 
according to a version.bind CH TXT query. BIND's DNSSEC support is considered 
to be mature, as far as I know.

My /etc/dnsmasq.conf file contains the following:


If I trigger the bug by starting Dnsmasq and attempting to look up google.com 
immediately after, the following messages are logged:

aug. 24 10:36:50.136188 sloth.fud.no dnsmasq[9948]: listening on lo(#1): port 53
aug. 24 10:36:50.136595 sloth.fud.no dnsmasq[9948]: started, version 2.80 
cachesize 150
aug. 24 10:36:50.136605 sloth.fud.no dnsmasq[9948]: compile time options: IPv6 
GNU-getopt DBus no-i18n IDN2 DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth 
DNSSEC loop-detect inotify dumpfile
aug. 24 10:36:50.136620 sloth.fud.no dnsmasq[9948]: DNSSEC validation enabled
aug. 24 10:36:50.136633 sloth.fud.no dnsmasq[9948]: configured with trust 
anchor for <root> keytag 20326
aug. 24 10:36:50.136639 sloth.fud.no dnsmasq[9948]: configured with trust 
anchor for <root> keytag 19036
aug. 24 10:36:50.136648 sloth.fud.no dnsmasq[9948]: using nameserver for domain lan (no DNSSEC)
aug. 24 10:36:50.136655 sloth.fud.no dnsmasq[9948]: using nameserver
aug. 24 10:36:50.136673 sloth.fud.no dnsmasq[9948]: cleared cache
aug. 24 10:36:51.146834 sloth.fud.no dnsmasq[9948]: query[A] google.com from
aug. 24 10:36:51.146983 sloth.fud.no dnsmasq[9948]: forwarded google.com to
aug. 24 10:36:51.149917 sloth.fud.no dnsmasq[9948]: dnssec-query[DS] com to
aug. 24 10:36:51.151816 sloth.fud.no dnsmasq[9948]: dnssec-query[DNSKEY] . to
aug. 24 10:36:51.153947 sloth.fud.no dnsmasq[9948]: reply . is DNSKEY keytag 
59944, algo 8
aug. 24 10:36:51.153991 sloth.fud.no dnsmasq[9948]: reply . is DNSKEY keytag 
20326, algo 8
aug. 24 10:36:51.154245 sloth.fud.no dnsmasq[9948]: reply com is DS keytag 
30909, algo 8, digest 2
aug. 24 10:36:51.154304 sloth.fud.no dnsmasq[9948]: dnssec-query[DS] google.com 
aug. 24 10:36:51.156153 sloth.fud.no dnsmasq[9948]: dnssec-query[DNSKEY] com to
aug. 24 10:36:51.158387 sloth.fud.no dnsmasq[9948]: reply com is DNSKEY keytag 
17708, algo 8
aug. 24 10:36:51.158430 sloth.fud.no dnsmasq[9948]: reply com is DNSKEY keytag 
30909, algo 8
aug. 24 10:36:51.158576 sloth.fud.no dnsmasq[9948]: Insecure DS reply received, 
do upstream DNS servers support DNSSEC?
aug. 24 10:36:51.158602 sloth.fud.no dnsmasq[9948]: reply google.com is BOGUS DS
aug. 24 10:36:51.158637 sloth.fud.no dnsmasq[9948]: validation google.com is 
aug. 24 10:36:51.158671 sloth.fud.no dnsmasq[9948]: reply google.com is

I am attaching a PCAP containing the above exchange between Dnsmasq and my 
ISP's DNS server

I have also observed the issue occurring while using public DNS servers like instead of

My final observations is that it only happens intermittently. If I keep 
retrying the above lookup for google.com, it will eventually succeed and give 
the correct Insecure verdict.


Attachment: dns.pcap
Description: application/vnd.tcpdump.pcap

Dnsmasq-discuss mailing list

Reply via email to