Simon Kelley
2015-11-14 19:26:28 UTC
2.72 is along time ago on the rocky road to correct DNSSEC. There have
been many fixes since then. I just tried the current development code
on the server 217.31.204.13, checking 2ip.ru and it seems we get it
right now.
dnsmasq: started, version 2.76test1-14-g41a8d9e cachesize 150
dnsmasq: compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN
DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth DNSSEC loop-detect inoti
fy
dnsmasq: DNSSEC validation enabled
dnsmasq: using nameserver 217.31.204.130#53
dnsmasq: read /etc/hosts - 7 addresses
dnsmasq: query[A] 2ip.ru from 127.0.0.1
dnsmasq: forwarded 2ip.ru to 217.31.204.130
dnsmasq: dnssec-query[DS] ru to 217.31.204.130
dnsmasq: dnssec-query[DNSKEY] . to 217.31.204.130
dnsmasq: reply . is DNSKEY keytag 62530
dnsmasq: reply . is DNSKEY keytag 19036
dnsmasq: reply ru is DS keytag 9880
dnsmasq: dnssec-query[DS] 2ip.ru to 217.31.204.130
dnsmasq: dnssec-query[DNSKEY] ru to 217.31.204.130
dnsmasq: reply ru is DNSKEY keytag 54900
dnsmasq: reply ru is DNSKEY keytag 9880
dnsmasq: reply ru is DNSKEY keytag 30526
dnsmasq: reply 2ip.ru is no DS
dnsmasq: validation result is INSECURE
dnsmasq: reply 2ip.ru is 178.63.151.224
So best suggestion is to move to 2.75, or wait for 2.76.
Cheers,
Simon.
been many fixes since then. I just tried the current development code
on the server 217.31.204.13, checking 2ip.ru and it seems we get it
right now.
dnsmasq: started, version 2.76test1-14-g41a8d9e cachesize 150
dnsmasq: compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN
DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth DNSSEC loop-detect inoti
fy
dnsmasq: DNSSEC validation enabled
dnsmasq: using nameserver 217.31.204.130#53
dnsmasq: read /etc/hosts - 7 addresses
dnsmasq: query[A] 2ip.ru from 127.0.0.1
dnsmasq: forwarded 2ip.ru to 217.31.204.130
dnsmasq: dnssec-query[DS] ru to 217.31.204.130
dnsmasq: dnssec-query[DNSKEY] . to 217.31.204.130
dnsmasq: reply . is DNSKEY keytag 62530
dnsmasq: reply . is DNSKEY keytag 19036
dnsmasq: reply ru is DS keytag 9880
dnsmasq: dnssec-query[DS] 2ip.ru to 217.31.204.130
dnsmasq: dnssec-query[DNSKEY] ru to 217.31.204.130
dnsmasq: reply ru is DNSKEY keytag 54900
dnsmasq: reply ru is DNSKEY keytag 9880
dnsmasq: reply ru is DNSKEY keytag 30526
dnsmasq: reply 2ip.ru is no DS
dnsmasq: validation result is INSECURE
dnsmasq: reply 2ip.ru is 178.63.151.224
So best suggestion is to move to 2.75, or wait for 2.76.
Cheers,
Simon.
Hi! I have Debian Jessie with dnsmasq 2.72-3+deb8u1 configured with
dnssec-check-unsigned. It works fine on 20+ servers but doesn't
work on one, always replies with BOGUS validation result for all
domains. I've confirmed that the problem is not in network or
network tampering using VPN to that server and running dnsmasq on
the laptop using ArchLinux, that works correctly, just as on other
servers.
# dnsmasq --port=5351 --server=217.31.204.130 --dnssec
--dnssec-check-unsigned --proxy-dnssec
--trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A4185520
0FD2CE1CDDE32F24E8FB5dnssec-check-unsigned. It works fine on 20+ servers but doesn't
work on one, always replies with BOGUS validation result for all
domains. I've confirmed that the problem is not in network or
network tampering using VPN to that server and running dnsmasq on
the laptop using ArchLinux, that works correctly, just as on other
servers.
# dnsmasq --port=5351 --server=217.31.204.130 --dnssec
--dnssec-check-unsigned --proxy-dnssec
--trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A4185520
started, version 2.72 cachesize 10000 dnsmasq: compile time
options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua TFTP
conntrack ipset auth DNSSEC loop-detect dnsmasq: DNSSEC validation
enabled dnsmasq: using nameserver 217.31.204.130#53 dnsmasq: read
/etc/hosts - 5 addresses dnsmasq: query[A] 2ip.ru from 127.0.0.1
dnssec-query[DNSKEY] ru to 217.31.204.130 dnsmasq: dnssec-query[DS]
ru to 217.31.204.130 dnsmasq: dnssec-query[DNSKEY] . to
reply . is DNSKEY keytag 62530 dnsmasq: reply ru is DS keytag 9880
dnsmasq: reply ru is DNSKEY keytag 54900 dnsmasq: reply ru is
DNSKEY keytag 9880 dnsmasq: reply ru is DNSKEY keytag 30526
dnsmasq: reply 2ip.ru is BOGUS DS dnsmasq: validation result is
BOGUS dnsmasq: reply 2ip.ru is 178.63.151.224
global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY,
0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;;
QUESTION SECTION: ;2ip.ru. IN A
;; Query time: 682 msec ;; SERVER: 127.0.0.1#5351(127.0.0.1) ;;
WHEN: Fri Nov 13 23:27:59 MSK 2015 ;; MSG SIZE rcvd: 35
217.31.204.130 is a CZ.NIC recursive server with working DNSSEC.
I've checked library versions and apt-get upgraded that broken
server, didn't help.
_______________________________________________ Dnsmasq-discuss
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua TFTP
conntrack ipset auth DNSSEC loop-detect dnsmasq: DNSSEC validation
enabled dnsmasq: using nameserver 217.31.204.130#53 dnsmasq: read
/etc/hosts - 5 addresses dnsmasq: query[A] 2ip.ru from 127.0.0.1
dnssec-query[DNSKEY] ru to 217.31.204.130 dnsmasq: dnssec-query[DS]
ru to 217.31.204.130 dnsmasq: dnssec-query[DNSKEY] . to
reply . is DNSKEY keytag 62530 dnsmasq: reply ru is DS keytag 9880
dnsmasq: reply ru is DNSKEY keytag 54900 dnsmasq: reply ru is
DNSKEY keytag 9880 dnsmasq: reply ru is DNSKEY keytag 30526
dnsmasq: reply 2ip.ru is BOGUS DS dnsmasq: validation result is
BOGUS dnsmasq: reply 2ip.ru is 178.63.151.224
global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY,
0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;;
QUESTION SECTION: ;2ip.ru. IN A
;; Query time: 682 msec ;; SERVER: 127.0.0.1#5351(127.0.0.1) ;;
WHEN: Fri Nov 13 23:27:59 MSK 2015 ;; MSG SIZE rcvd: 35
217.31.204.130 is a CZ.NIC recursive server with working DNSSEC.
I've checked library versions and apt-get upgraded that broken
server, didn't help.
_______________________________________________ Dnsmasq-discuss
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss