Discussion:
[Dnsmasq-discuss] DNSSEC: Answer for local hosts with AD flag set?
Ernst Ahlers
2015-09-30 08:54:42 UTC
Permalink
Hello together,

first off: Many thanks to Simon and all developers for a very useful tool!

I'm using dnsmasq 2.72 with DNSSEC validation on my home server
(Ubuntu 14.04 LTS). During a discussion with a router manufacturer the
topic of answers for local queries for local hosts came up.

As far as I can see dnsmasq answers such queries without validation,
i. e. not setting the AD flag:

***@swing:~$ dnsmasq --version
Dnsmasq version 2.72 Copyright (c) 2000-2014 Simon Kelley
Compile time options: IPv6 GNU-getopt DBus no-i18n no-IDN DHCP DHCPv6
no-Lua TFTP no-conntrack ipset auth DNSSEC loop-detect
[...]
***@swing:~$ dig +dnssec bsi.bund.de @localhost | grep AUTH
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
***@swing:~$ dig +dnssec ap @localhost | grep AUTH
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

Now this is expected since I didn't sign my locally used domain.
Anyway I'd like to be able to mark answers for local hosts within the
local network as validated. Is there an option to enable this?

Best regards

Ernst
--
Ernst Ahlers, Redakteur/Editor
PGP-Key-ID: 0x265E 3662, plain text preferred

c't - Magazin für Computertechnik
www.ct.de
Karl-Wiechert-Allee 10
D-30625 Hannover, Germany
Phone +49 (0)511 5352 300
Fax +49 (0)511 5352 417

Heise Medien GmbH & Co. KG
Registergericht: Amtsgericht Hannover HRA 26709
Persönlich haftende Gesellschafterin:
Heise Medien Geschäftsführung GmbH
Registergericht: Amtsgericht Hannover, HRB 60405
Geschäftsführer: Ansgar Heise, Dr. Alfons Schräder

Katze 5e
Jan-Piet Mens
2015-09-30 20:12:53 UTC
Permalink
Post by Ernst Ahlers
Anyway I'd like to be able to mark answers for local hosts within the
local network as validated. Is there an option to enable this?
I hope not because it would be a lie; that zone has not been signed and
thus cannot be validated. Indicating Authentic Data would be a lie.

My curiousity forces me to ask you: why would you want dnsmasq to do
that? It's very simple nowadays to set up an authoritative DNSSEC-aware
signer. Isn't that the solution you're actually looking for?

-JP
Simon Kelley
2015-09-30 21:00:56 UTC
Permalink
Post by Jan-Piet Mens
Post by Ernst Ahlers
Anyway I'd like to be able to mark answers for local hosts within
the local network as validated. Is there an option to enable
this?
I hope not because it would be a lie; that zone has not been signed
and thus cannot be validated. Indicating Authentic Data would be a
lie.
I guess the logic is that dnsmasq is the authoritative source for that
data, so it doesn't need to validate it to know that it's real. The
problem is that, unless the zone is signed, dnsmasq has no way to
prove the data is valid. It's fine setting the AD flag, but what
happens when the client sets the DO flag too, indicating that it want
to see the proof? The proof doesn't exist, so can't be given.

Simon.
Post by Jan-Piet Mens
My curiousity forces me to ask you: why would you want dnsmasq to
do that? It's very simple nowadays to set up an authoritative
DNSSEC-aware signer. Isn't that the solution you're actually
looking for?
-JP
_______________________________________________ Dnsmasq-discuss
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Ernst Ahlers
2015-10-01 06:57:14 UTC
Permalink
Post by Simon Kelley
I guess the logic is that dnsmasq is the authoritative source for
that data, so it doesn't need to validate it to know that it's
real.
Right, but obviously the solution is not as simple as setting AD.

As for the background (sorry, since English is not my native tongue
I'm having trouble being verbose):

A lot people around here (me included) use a well-known router brand
(Fritz!Boxen) which employs dnsmasq. The manufacturer (AVM) offers a
free dyndns service (myfritz.net). It not only answers for both
address types but for IPv6 also allows subdomains for hosts within
your dyndns domain.

This is practical for accessing services like IMAP or Webdav(s) from
anywhere via the same domain name. Now asking the router for a host
from the local network will return the *external* IPv4 address and
the global IPv6 address.

With IPv4 connections from the local network this obviously incurs a
performance penalty since the packets will have to traverse the
router's NAT. This might not be an issue with IMAP but definitely
with NAS access via Webdav(s) or SFTP.

I submitted the idea of returning local IPv4 addresses for internal
queries to AVM. Their reply was that this will fail if they'd enable
DNSSEC for their dyndns service in the future. My knee-jerk reply
was to let dnsmasq set the AD flag for this kind of query. But as
per your explanations this is only half a solution.

Do you think there's any chance to solve this correctly without
switching from dnsmasq to Unbound or the like?

Best regards

Ernst

- --
Ernst Ahlers, Redakteur/Editor
PGP-Key-ID: 0x265E 3662, plain text preferred

c't - Magazin für Computertechnik
www.ct.de
Karl-Wiechert-Allee 10
D-30625 Hannover, Germany
Phone +49 (0)511 5352 300
Fax +49 (0)511 5352 417

Heise Medien GmbH & Co. KG
Registergericht: Amtsgericht Hannover HRA 26709
Persönlich haftende Gesellschafterin:
Heise Medien Geschäftsführung GmbH
Registergericht: Amtsgericht Hannover, HRB 60405
Geschäftsführer: Ansgar Heise, Dr. Alfons Schräder

Katze 5e
Jan-Piet Mens
2015-10-02 11:20:11 UTC
Permalink
Post by Ernst Ahlers
Do you think there's any chance to solve this correctly without
switching from dnsmasq to Unbound or the like?
I don't think this is going to be possible.

BTW, AVM seem to have DNSSEC validation on (at least) their 7390 [1].
As somebody with a lot of clout, such as you have at c't :-), I would
contact them and politely request they quickly start signing their
myfritz platform. Chances are they might even do that. ;-)

-JP

[1] https://twitter.com/marcodavids/status/649861646232485888
Ernst Ahlers
2015-10-02 12:00:14 UTC
Permalink
Post by Jan-Piet Mens
I don't think this is going to be possible.
OK, so AVM would probably have to switch to Unbound. Or they'll just
choose to ignore the IPv4 NAT penalty...
Post by Jan-Piet Mens
BTW, AVM seem to have DNSSEC validation on (at least) their 7390 [1].
Thanks for the hint!

Funny, our 7390 with FritzOS-Beta 6.36 running on DT-VDSL shows no
sign at all of DNSSEC, even if I set it to use validating servers. But
then this option might be tied to the internet provider selection...
Seems I'll have to bugger AVM again. :-D
Post by Jan-Piet Mens
I would contact them and politely request they quickly start
signing their myfritz platform. Chances are they might even do
that. ;-)
Oh, since they spoke of probably activating DNSSEC validation I'm
quite sure it's already on their timeline. :)

Anyway, many thanks for taking a look at my query!

Ernst
--
Ernst Ahlers, Redakteur/Editor
PGP-Key-ID: 0x265E 3662, plain text preferred

c't - Magazin für Computertechnik
www.ct.de
Karl-Wiechert-Allee 10
D-30625 Hannover, Germany
Phone +49 (0)511 5352 300
Fax +49 (0)511 5352 417

Heise Medien GmbH & Co. KG
Registergericht: Amtsgericht Hannover HRA 26709
Persönlich haftende Gesellschafterin:
Heise Medien Geschäftsführung GmbH
Registergericht: Amtsgericht Hannover, HRB 60405
Geschäftsführer: Ansgar Heise, Dr. Alfons Schräder

Katze 5e
Ernst Ahlers
2015-10-02 12:53:25 UTC
Permalink
Post by Jan-Piet Mens
BTW, AVM seem to have DNSSEC validation on (at least) their 7390 [1].
[1] https://twitter.com/marcodavids/status/649861646232485888
FYI: The originator of this tweet just fessed up to me that it was a fake.

CU

Ernst
--
Ernst Ahlers, Redakteur/Editor
PGP-Key-ID: 0x265E 3662, plain text preferred

c't - Magazin für Computertechnik
www.ct.de
Karl-Wiechert-Allee 10
D-30625 Hannover, Germany
Phone +49 (0)511 5352 300
Fax +49 (0)511 5352 417

Heise Medien GmbH & Co. KG
Registergericht: Amtsgericht Hannover HRA 26709
Persönlich haftende Gesellschafterin:
Heise Medien Geschäftsführung GmbH
Registergericht: Amtsgericht Hannover, HRB 60405
Geschäftsführer: Ansgar Heise, Dr. Alfons Schräder

Katze 5e
Jan-Piet Mens
2015-10-02 16:15:57 UTC
Permalink
Post by Ernst Ahlers
FYI: The originator of this tweet just fessed up to me that it was a fake.
I am talking to Marco now [1]. If this really was a fake, he's in trouble!

-JP

[1] https://twitter.com/jpmens/status/649980467928780800
Stéphane Guedon
2015-10-02 16:46:40 UTC
Permalink
Post by Ernst Ahlers
Post by Simon Kelley
I guess the logic is that dnsmasq is the authoritative source for
that data, so it doesn't need to validate it to know that it's
real.
Right, but obviously the solution is not as simple as setting AD.
As for the background (sorry, since English is not my native tongue
A lot people around here (me included) use a well-known router brand
(Fritz!Boxen) which employs dnsmasq. The manufacturer (AVM) offers a
free dyndns service (myfritz.net). It not only answers for both
address types but for IPv6 also allows subdomains for hosts within
your dyndns domain.
This is practical for accessing services like IMAP or Webdav(s) from
anywhere via the same domain name. Now asking the router for a host
from the local network will return the *external* IPv4 address and
the global IPv6 address.
With IPv4 connections from the local network this obviously incurs a
performance penalty since the packets will have to traverse the
router's NAT. This might not be an issue with IMAP but definitely
with NAS access via Webdav(s) or SFTP.
I submitted the idea of returning local IPv4 addresses for internal
queries to AVM. Their reply was that this will fail if they'd enable
DNSSEC for their dyndns service in the future. My knee-jerk reply
was to let dnsmasq set the AD flag for this kind of query. But as
per your explanations this is only half a solution.
Do you think there's any chance to solve this correctly without
switching from dnsmasq to Unbound or the like?
Best regards
Ernst
Allow myself to be in.

The interest is also that a domain is signed and used publicly (www, mx, imap
with public internet addresses signed...) but that when you are in your
network, the local dns (dnsmasq) gives your internal (nat, local) addresses
instead, which are not signed.

There, you will have conflicts between the two adresses.

Allowing dnsmasq to sign (or give a proof of authenticity) would solve this
problem, yet I am sure it is not easy.
--
The file signature.asc is not attached to be read by you. It's a digital
signature by GPG.
If you want to know why I use it, and why you should as well, you can read my
article there:

http://www.22decembre.eu/2015/03/21/introduction-en/
Ernst Ahlers
2015-10-02 17:34:30 UTC
Permalink
Thanks for chiming in Stephane,
Post by Stéphane Guedon
Allowing dnsmasq to sign (or give a proof of authenticity) would solve this
problem, yet I am sure it is not easy.
AFAIK there's no provision yet in dnsmasq for keeping signed domains.
After all it was never intended to be a fully fledged DNS server.

So the only viable option I see now would be switching to Unbound --
which AVM is unlikely to do IMHO.

Have a nice weekend all around!

Ernst
--
Ernst Ahlers, Redakteur/Editor
PGP-Key-ID: 0x265E 3662, plain text preferred

c't - Magazin für Computertechnik
www.ct.de
Karl-Wiechert-Allee 10
D-30625 Hannover, Germany
Phone +49 (0)511 5352 300
Fax +49 (0)511 5352 417

Heise Medien GmbH & Co. KG
Registergericht: Amtsgericht Hannover HRA 26709
Persönlich haftende Gesellschafterin:
Heise Medien Geschäftsführung GmbH
Registergericht: Amtsgericht Hannover, HRB 60405
Geschäftsführer: Ansgar Heise, Dr. Alfons Schräder

Katze 5e
Stéphane Guedon
2015-10-03 05:53:51 UTC
Permalink
Post by Ernst Ahlers
Thanks for chiming in Stephane,
Post by Stéphane Guedon
Allowing dnsmasq to sign (or give a proof of authenticity) would solve this
problem, yet I am sure it is not easy.
AFAIK there's no provision yet in dnsmasq for keeping signed domains.
After all it was never intended to be a fully fledged DNS server.
So the only viable option I see now would be switching to Unbound --
which AVM is unlikely to do IMHO.
Have a nice weekend all around!
Ernst
Unbound is only a resolver.

To replace dhcp and dns on lan, you might need a dhcp+bind with split mode.

Bind would then allow you also to resolve (as it's the all-in-one dns).
--
The file signature.asc is not attached to be read by you. It's a digital
signature by GPG.
If you want to know why I use it, and why you should as well, you can read my
article there:

http://www.22decembre.eu/2015/03/21/introduction-en/
Ernst Ahlers
2015-10-03 07:43:27 UTC
Permalink
Post by Stéphane Guedon
Unbound is only a resolver.
You're right. Since I have no hands-on experience with Unbound the name
might have misled me into assuming it were usable as a full-blown DNS
server.
Post by Stéphane Guedon
To replace dhcp and dns on lan, you might need a dhcp+bind with split mode.
It looks like that -- and even less of a chance for AVM making the move.

Thanks!

Ernst
--
Ernst Ahlers, Redakteur/Editor
PGP-Key-ID: 0x265E 3662, plain text preferred

c't - Magazin für Computertechnik
www.ct.de
Karl-Wiechert-Allee 10
D-30625 Hannover, Germany
Phone +49 (0)511 5352 300
Fax +49 (0)511 5352 417

Heise Medien GmbH & Co. KG
Registergericht: Amtsgericht Hannover HRA 26709
Persönlich haftende Gesellschafterin:
Heise Medien Geschäftsführung GmbH
Registergericht: Amtsgericht Hannover, HRB 60405
Geschäftsführer: Ansgar Heise, Dr. Alfons Schräder

Katze 5e
Tomas Hozza
2015-10-05 10:07:17 UTC
Permalink
Post by Stéphane Guedon
Post by Ernst Ahlers
Thanks for chiming in Stephane,
Post by Stéphane Guedon
Allowing dnsmasq to sign (or give a proof of authenticity) would solve this
problem, yet I am sure it is not easy.
AFAIK there's no provision yet in dnsmasq for keeping signed domains.
After all it was never intended to be a fully fledged DNS server.
So the only viable option I see now would be switching to Unbound --
which AVM is unlikely to do IMHO.
Have a nice weekend all around!
Ernst
Unbound is only a resolver.
To replace dhcp and dns on lan, you might need a dhcp+bind with split mode.
Bind would then allow you also to resolve (as it's the all-in-one dns).
You can have a local zone with local data also in Unbound.

Check https://unbound.nlnetlabs.nl/documentation/unbound.conf.html
and the options 'local-zone' and 'local-data' or 'stub-zone'.

I would say Unbound is as much authoritative server as dnsmasq tries to be.

Plus Unbound can be easily reconfigured during runtime.

Regards,
--
Tomas Hozza
Software Engineer - EMEA ENG Developer Experience

PGP: 1D9F3C2D
UTC+2 (CEST)
Red Hat Inc. http://cz.redhat.com
Ernst Ahlers
2015-10-05 10:31:11 UTC
Permalink
Post by Tomas Hozza
You can have a local zone with local data also in Unbound.
Sure, but also signed with DNSSEC?

CU

ea
--
Ernst Ahlers, Redakteur/Editor
PGP-Key-ID: 0x265E 3662, plain text preferred

c't - Magazin für Computertechnik
www.ct.de
Karl-Wiechert-Allee 10
D-30625 Hannover, Germany
Phone +49 (0)511 5352 300
Fax +49 (0)511 5352 417

Heise Medien GmbH & Co. KG
Registergericht: Amtsgericht Hannover HRA 26709
Persönlich haftende Gesellschafterin:
Heise Medien Geschäftsführung GmbH
Registergericht: Amtsgericht Hannover, HRB 60405
Geschäftsführer: Ansgar Heise, Dr. Alfons Schräder

Katze 5e
Stéphane Guedon
2015-10-05 16:15:55 UTC
Permalink
Post by Ernst Ahlers
Post by Tomas Hozza
You can have a local zone with local data also in Unbound.
Sure, but also signed with DNSSEC?
CU
ea
That, I don't think so.

If you want to make something sophisticated, why not looking to Bind ?

It makes all possible things ever !

I precise that I do not use it.
--
The file signature.asc is not attached to be read by you. It's a digital
signature by GPG.
If you want to know why I use it, and why you should as well, you can read my
article there:

http://www.22decembre.eu/2015/03/21/introduction-en/
Tomas Hozza
2015-10-12 08:30:07 UTC
Permalink
Post by Ernst Ahlers
Post by Tomas Hozza
You can have a local zone with local data also in Unbound.
Sure, but also signed with DNSSEC?
No, it can not. Unbound can not sign the records. It may be
possible to serve serve already signed zone, but I never
experimented with this.

I agree with the later response that if you want signing, it
may be better to use BIND. It can do the signing for you
automatically on-the-fly and also do the management of keys
(rollover) based on validity of the keys. Making such setup
with BIND is super easy.

Regards,
--
Tomas Hozza
Software Engineer - EMEA ENG Developer Experience

PGP: 1D9F3C2D
UTC+2 (CEST)
Red Hat Inc. http://cz.redhat.com
Loading...