dnsmasq incorrect behavior on RRSIG not matching covering name for domain without DNSSEC enabled (Cloudflare Auth CDN case)

[mave007]

Versions

• Pi-hole: v6.3
• Web: v6.4
• FTL: v6.4.1

Platform

• OS and version: Ubuntu 20.04.6

• Platform: VM

Expected behavior

Domains that are NOT dnssec signed, but still have a RRSIG in its response, shouldn't be processed as BOGUS if the domain name is not covering the domain in question.

This happens with Cloudflare domains that are part of their CDN, like rivcoed.org.cdn.cloudflare.net and rivcoed.org. The domain under cdn.cloudflare.net. is DNSSEC signed and offers the RRSIG with the correct covering name in its RRSIG response, but the one under the actual domain rivcoed.org also brings the same RRSIG, even when it is not dnssec signed (no DS on parent, nor DNSKEY on the domain itself).

Since the domain is not dnssec signed, the validation processing should be ignored, just like other public dnssec enabled resolvers do. I tested it on quad9, google and cloudflare ones and directly with unbound, BIND and knot-resolver

Actual behavior / bug

This is a response with pihole on local system (note the SERVFAIL status and the EDE code 6:

# dig @127.0.0.1 rivcoed.org  +dnssec +multi

; <<>> DiG 9.18.30-0ubuntu0.20.04.2+esm1-Ubuntu <<>> @127.0.0.1 rivcoed.org +dnssec +multi
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 47257
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; EDE: 6 (DNSSEC Bogus)
;; QUESTION SECTION:
;rivcoed.org.		IN A

;; Query time: 99 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Thu Dec 11 08:55:37 PST 2025
;; MSG SIZE  rcvd: 46

Forcing the client to ask DNSSEC checking to be disabled (+cd option in dig). Note flags cd and status NOERROR:

# dig @127.0.0.1 rivcoed.org  +dnssec +multi +cd

; <<>> DiG 9.18.30-0ubuntu0.20.04.2+esm1-Ubuntu <<>> @127.0.0.1 rivcoed.org +dnssec +multi +cd
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1714
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;rivcoed.org.		IN A

;; ANSWER SECTION:
rivcoed.org.		141 IN A 104.18.3.90
rivcoed.org.		141 IN A 104.18.2.90
rivcoed.org.		141 IN RRSIG A 13 5 300 (
				20251212175726 20251210155726 34505 cloudflare.net.
				zkWKsHDT1Z0L1mnLRspSbrNIAyv27L5hfsoD1nwfoNgi
				bsB6tkjs9VVvjb5XOz+PPUJGPFgTLflaVXdsH2YVlw== )

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Thu Dec 11 09:00:05 PST 2025
;; MSG SIZE  rcvd: 182

Skipping the response from pihole/dnsmasq and querying directly unbound installed on the same server but running on port 5353 instead:

# dig @127.0.0.1 rivcoed.org -p 5353  +dnssec +multi

; <<>> DiG 9.18.30-0ubuntu0.20.04.2+esm1-Ubuntu <<>> @127.0.0.1 rivcoed.org -p 5353 +dnssec +multi
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14326
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1472
;; QUESTION SECTION:
;rivcoed.org.		IN A

;; ANSWER SECTION:
rivcoed.org.		203 IN A 104.18.2.90
rivcoed.org.		203 IN A 104.18.3.90
rivcoed.org.		203 IN RRSIG A 13 5 300 (
				20251212175726 20251210155726 34505 cloudflare.net.
				zkWKsHDT1Z0L1mnLRspSbrNIAyv27L5hfsoD1nwfoNgi
				bsB6tkjs9VVvjb5XOz+PPUJGPFgTLflaVXdsH2YVlw== )

;; Query time: 11 msec
;; SERVER: 127.0.0.1#5353(127.0.0.1) (UDP)
;; WHEN: Thu Dec 11 08:59:03 PST 2025
;; MSG SIZE  rcvd: 182

Behavior on other public resolvers:

# dig @9.9.9.9 rivcoed.org   +dnssec +multi

; <<>> DiG 9.18.30-0ubuntu0.20.04.2+esm1-Ubuntu <<>> @9.9.9.9 rivcoed.org +dnssec +multi
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23134
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;rivcoed.org.		IN A

;; ANSWER SECTION:
rivcoed.org.		178 IN A 104.18.2.90
rivcoed.org.		178 IN A 104.18.3.90
rivcoed.org.		178 IN RRSIG A 13 5 300 (
				20251212180948 20251210160948 34505 cloudflare.net.
				ZYugtqZuutJWYWiKvuIqXLj0UMNNnY+fH5gsnhh7PjVh
				Lrd9LU6I80UGJ3iN1mkctxRpiANakmyneCYx5pOCJA== )

;; Query time: 159 msec
;; SERVER: 9.9.9.9#53(9.9.9.9) (UDP)
;; WHEN: Thu Dec 11 09:11:50 PST 2025
;; MSG SIZE  rcvd: 182

# dig @8.8.8.8 rivcoed.org   +dnssec +multi

; <<>> DiG 9.18.30-0ubuntu0.20.04.2+esm1-Ubuntu <<>> @8.8.8.8 rivcoed.org +dnssec +multi
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8777
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;rivcoed.org.		IN A

;; ANSWER SECTION:
rivcoed.org.		46 IN A	104.18.2.90
rivcoed.org.		46 IN A	104.18.3.90
rivcoed.org.		46 IN RRSIG A 13 5 300 (
				20251212180948 20251210160948 34505 cloudflare.net.
				ZYugtqZuutJWYWiKvuIqXLj0UMNNnY+fH5gsnhh7PjVh
				Lrd9LU6I80UGJ3iN1mkctxRpiANakmyneCYx5pOCJA== )

;; Query time: 19 msec
;; SERVER: 8.8.8.8#53(8.8.8.8) (UDP)
;; WHEN: Thu Dec 11 09:14:02 PST 2025
;; MSG SIZE  rcvd: 182

# dig @1.1.1.1 rivcoed.org   +dnssec +multi

; <<>> DiG 9.18.30-0ubuntu0.20.04.2+esm1-Ubuntu <<>> @1.1.1.1 rivcoed.org +dnssec +multi
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63913
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;rivcoed.org.		IN A

;; ANSWER SECTION:
rivcoed.org.		274 IN A 104.18.3.90
rivcoed.org.		274 IN A 104.18.2.90
rivcoed.org.		274 IN RRSIG A 13 5 300 (
				20251212181449 20251210161449 34505 cloudflare.net.
				1kclH7qiDb6OBOzdseOgTa9PFqX7S9vvKZcAr1PpTkDD
				3W4RAGSJgLxA8Pz+F0RKzUkFGEKvdVTLjBFmfEHoLA== )

;; Query time: 39 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Thu Dec 11 09:15:15 PST 2025
;; MSG SIZE  rcvd: 182

Steps to reproduce

dig rivcoed.org. +dnssec +multi +cd

versus correct one:

dig rivcoed.org.cdn.cloudflare.net +dnssec +multi

versus:

Debug Token

• URL: https://tricorder.pi-hole.net/j9uJQDJu/

Screenshots

If applicable, add screenshots to help explain your problem.

Additional context

Conversation about this issue on DNS-OARC Mattermost channel with other DNS experts: https://chat.dns-oarc.net/community/pl/uuc3gim7i3fcxj9trbmxgm31gc

[pemensik]

Reported issue to dnsmasq: https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2025q4/018361.html

This is not the proper place for the primary fix. But would need some too.

[pemensik]

Thank you for a nice investigation and summary, however.