DNSSEC debug messages

NogNeetMachinaal · July 1, 2025, 5:01pm

Hi Every Body,

Since I enabled the DNSSEC capability I have this debug message:
Negative DS reply without NS record received for 100.100.in-addr.arpa, assuming non-DNSSEC domain-specific server.

While true in itself - I wouldn't expect this given the current config?

server=/ts.net/100.100.100.100
server=/100.100.in-addr.arpa/100.100.100.100
rev-server=100.64.0.0/10,100.100.100.100

What am I missing here?

For those who have access:
https://tricorder.pi-hole.net/Cx0OVYJd/

Cheers - Will

DanSchaper · July 1, 2025, 7:22pm

You don't need both the forward and reverse server lines.

From the dnsmasq man page:

--rev-server=[/][,][#][@][@[#]]
This is functionally the same as --server, but provides some syntactic sugar to make specifying address-to-name queries easier. For example --rev-server=1.2.3.0/24,192.168.0.1 is exactly equivalent to --server=/3.2.1.in-addr.arpa/192.168.0.1 Allowed prefix lengths are 1-32 (IPv4) and 1-128 (IPv6). If the prefix length is omitted, dnsmasq substitutes either 32 (IPv4) or 128 (IPv6).

But the debug line is exactly what it says and how it's working. You do not have the local zone signed so there's no signatures and the zone is in fact non-DNSSEC.

NogNeetMachinaal · July 1, 2025, 7:54pm

Thank you for the quick response.

Reason for posting this is that I was under the impression that local zones are not sent to the forwarding dns servers - hence no check on dnssec. The idea is that 100.64.0.0/10 (part of which is 100.100.100.100) is a local zone - just like 192.168.0.0/16. Or am I overlooking something here?

DanSchaper · July 1, 2025, 8:07pm

Yeah, server directives are supposed to skip DNSSEC, I know there were a few situations that came up with the most recent dnsmasq release that we build on.

@DL6ER Is this another case for upstream?

NogNeetMachinaal · July 1, 2025, 8:23pm

Mmm - if I remove the rev-server line the log shows this:

2025-07-01 22:19:22.379 CEST [51/T83] ERROR: Cannot receive UDP DNS reply: Timeout - no response from upstream DNS server
2025-07-01 22:19:22.379 CEST [51/T83] INFO: Tried to resolve PTR "100.100.100.100.in-addr.arpa" on 127.0.0.1#53 (UDP)
2025-07-01 22:19:23.322 CEST [51M] WARNING: dnsmasq: Negative DS reply without NS record received for 100.100.in-addr.arpa, assuming non-DNSSEC domain-specific server.

The config has now this:

server=/ts.net/100.100.100.100
server=/100.100.in-addr.arpa/100.100.100.100

Does the above make any sense?
Did I do something wrong? And what?

DanSchaper · July 1, 2025, 9:45pm

I don't know your system and you have a number of complex additional configuration files added to /etc/dnsmasq.d/ that makes it difficult to understand and debug your setup.

If you are trying to set up a reverse zone then perhaps the rev-server configuration would be more useful?

Edit: You're missing a couple of octets:

server=/100.100.in-addr.arpa/100.100.100.100

Tried to resolve PTR "100.100.100.100.in-addr.arpa"

NogNeetMachinaal · July 2, 2025, 10:59am

Can you be more specific - what is missing?

DanSchaper · July 2, 2025, 4:38pm

Use the rev-server configuration.

NogNeetMachinaal · July 3, 2025, 8:27am

I added this rev-server earlier this morning - the debug message still pops-up.
Any suggestion(s)?

DanSchaper · July 6, 2025, 11:40pm