Discussion:
[Dnsmasq-discuss] DNSSEC failure for dagjeuitactie.nl
Willem Bargeman
2018-10-26 14:05:00 UTC
Permalink
Hi Simon,

I received a message that the website dagjeuitactie.nl was not working.
When I do a dig for this domain the status is SERVFAIL.

dig dagjeuitactie.nl @127.0.0.1 -p 5353

; <<>> DiG 9.10.3-P4-Ubuntu <<>> dagjeuitactie.nl @127.0.0.1 -p 5353
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 30367
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1452
;; QUESTION SECTION:
;dagjeuitactie.nl. IN A

;; Query time: 101 msec
;; SERVER: 127.0.0.1#5353(127.0.0.1)
;; WHEN: Fri Oct 26 15:50:50 CEST 2018
;; MSG SIZE rcvd: 45

In the log file I can see the following.

dnsmasq[5172]: query[A] dagjeuitactie.nl from 127.0.0.1
dnsmasq[5172]: forwarded dagjeuitactie.nl to 127.0.1.1
dnsmasq[5172]: validation dagjeuitactie.nl is BOGUS

A query using the Cloudflare or Google DNS servers is working.
The domain name (dagjeuitactie.nl and www.dagjeactie.nl) is a CNAME for
dagjeuit-web.queueup.eu. Dagjeuitactie.nl is not DNSSEC enabled. However,
the domain dagjeuit-web.queueup.eu is DNSSEC enabled. However this record
is also a CNAME to a AWS server.

I'm not a DNSSEC expert but is this behavior correct? Is this a failure in
Dnsmasq or is the domain not configured correctly.

Thank you!

Best regards,
Willem Bargeman
Simon Kelley
2018-10-28 11:13:39 UTC
Permalink
There's a CNAME at the root of the domain, which is not permissible, and
the root cause of the validation failure.


https://medium.freecodecamp.org/why-cant-a-domain-s-root-be-a-cname-8cbab38e5f5c

gives some reasons why this is not a good idea.

What actually happens is that dnsmasq makes a query for the DS record
for dagjeuitactie.nl and gets back the CNAME, rather than NSEC records
from the parenet proving that the DS doesn't work. It's arguable that
this is not sensible behaviour, but the it's what happens, and it makes
it impossible for dnsmasq to do validation.

The easiest way to fix this is almost certainly to fix the domain.


Cheers,

Simon.
Post by Willem Bargeman
Hi Simon,
I received a message that the website dagjeuitactie.nl
<http://dagjeuitactie.nl> was not working. When I do a dig for this
domain the status is SERVFAIL.
<http://127.0.0.1> -p 5353
; <<>> DiG 9.10.3-P4-Ubuntu <<>> dagjeuitactie.nl
;; global options: +cmd
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 30367
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
; EDNS: version: 0, flags: do; udp: 1452
;dagjeuitactie.nl <http://dagjeuitactie.nl>.              IN      A
;; Query time: 101 msec
;; SERVER: 127.0.0.1#5353(127.0.0.1)
;; WHEN: Fri Oct 26 15:50:50 CEST 2018
;; MSG SIZE  rcvd: 45
In the log file I can see the following.
dnsmasq[5172]: query[A] dagjeuitactie.nl <http://dagjeuitactie.nl> from
127.0.0.1
dnsmasq[5172]: forwarded dagjeuitactie.nl <http://dagjeuitactie.nl> to
127.0.1.1
dnsmasq[5172]: validation dagjeuitactie.nl <http://dagjeuitactie.nl> is
BOGUS
A query using the Cloudflare or Google DNS servers is working. 
The domain name (dagjeuitactie.nl <http://dagjeuitactie.nl> and
www.dagjeactie.nl <http://www.dagjeactie.nl>) is a CNAME
for dagjeuit-web.queueup.eu <http://dagjeuit-web.queueup.eu>.
Dagjeuitactie.nl is not DNSSEC enabled. However, the
domain dagjeuit-web.queueup.eu <http://dagjeuit-web.queueup.eu> is
DNSSEC enabled. However this record is also a CNAME to a AWS server.
I'm not a DNSSEC expert but is this behavior correct? Is this a failure
in Dnsmasq or is the domain not configured correctly.
Thank you!
Best regards,
Willem Bargeman
_______________________________________________
Dnsmasq-discuss mailing list
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Loading...