On 30.12.2025 18:44, Jan Breig via Dnsmasq-discuss wrote:
Hello,
I have set up a wildcard DNS CNAME record `*.b.c.pygos.space`.
When using dnsmasq with DNSSEC validation enabled, a query to this wildcard
causes a SERVFAIL.
Queries to explicit subdomains that the wildcard resolves to are successful.
Steps to reproduce:
1. Setup dnsmasq
/etc/dnsmasq.conf
-----------------------------------------------
conf-file=/usr/share/dnsmasq/trust-anchors.conf
dnssec
-----------------------------------------------
2. Start dnsmasq
# dnsmasq -d --dnssec
3. Request an explicit subdomain
# dig a.b.c.pygos.space @127.0.0.1
-> works
4. Request the wildcard subdomain itself
# dig *.b.c.pygos.space @127.0.0.1
-> fails with SERVFAIL (NSEC Missing)
5. Request the wildcard subdomain with another resolver
# dig *.b.c.pygos.space @1.1.1.1
-> works
I experienced this bug when using pihole. Related bug:
https://github.com/pi-hole/FTL/issues/2751
Best regards,
Jan Breig
I think I got this.
When validating a query answered using a wildcard, the validation has to
check that actual query doesn't exist.
If a.b.c.pygos.space (in your example) really existed and had a value
different to *.b.c.pygos.space then an attacker could craft a reply
giving it the same value as *.b.c.pygos.space just by using the
*.b.c.pygos.space signature. The problem here is that dnsmasq was doing
that check when the query is *.b.c.pygos.space which is just wrong,
since the check will fail (*.b.c.pygos.space does exist) and it not
necessary.
https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=f603a4f920e6953b11667d424956fd47373870e9
Fixes this for me.
Cheers,
Simon.
https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=f603a4f920e6953b11667d424956fd47373870e9
_______________________________________________
Dnsmasq-discuss mailing list
[email protected]
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
