[Dnsmasq-discuss] Failure on dnssec-check-unsigned for Cloudflare re-delegated domains

Simon Kelley

2016-07-07 21:18:13 UTC

Post by Toke HÃ¸iland-JÃ¸rgensen
I recently moved one of my domains to Cloudflare DNS. This has caused
some issues with resolving through dnsmasq when dnssec-check-unsigned is
enabled. Cloudflare supports DNSSEC and resolving the hostnames directly
specified in their DNS works fine. The issue is with subdomains that are
re-delegated with a subsequent NS record (insecurely; to dnsmasq
instances, incidentally, but that's beside the point here).
I *think* that the issue is that the NSEC record for the subdomain
$ host -t NSEC brohuset.milos.dk
brohuset.milos.dk has NSEC record brohuset\000.milos.dk. NS RRSIG NSEC
Dnsviz seems to think that the NSEC record matches, and that the
delegation is insecure (as expected). Although it gives a bunch of other
errors: http://dnsviz.net/d/brohuset.milos.dk/dnssec/
So I'm actually not sure if this is an issue with dnsmasq or if
Cloudflare's DNS is buggy. Unbound does seem to resolve the domain,
though.

Well, whatever it's done, it confuses google public DNS too:

***@holly:~$ dig @8.8.8.8 +dnssec DS brohuset.milos.dk

; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> @8.8.8.8 +dnssec DS
brohuset.milos.dk
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 6301
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;brohuset.milos.dk. IN DS

;; Query time: 3296 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Jul 07 22:10:42 BST 2016
;; MSG SIZE rcvd: 46

I'm not sure that the NSEC record is faulty, the extra NULL byte is in
the "next existing name" field, and sure enough, that name does exist,
though it only seems to contain a NSEC record!

***@holly:~$ dig @8.8.8.8 +dnssec A brohuset/000.milos.dk

; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> @8.8.8.8 +dnssec A
brohuset/000.milos.dk
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16789
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;brohuset/000.milos.dk. IN A

;; AUTHORITY SECTION:
milos.dk. 1799 IN SOA buck.ns.cloudflare.com. dns.cloudflare.com.
2021877006 10000 2400 604800 3600
brohuset/000.milos.dk. 3599 IN NSEC \000.brohuset/000.milos.dk. RRSIG NSEC
brohuset/000.milos.dk. 3599 IN RRSIG NSEC 13 3 3600 20160708221452
20160706201452 35273 milos.dk.
RuVEwfQttCXJmREcXmPp1AG21eudJNw35wuPmngG//Yf9Gkyycojhsmh
5/Gl6nrw+hKCH9cSyRT04s+MPyGNtg==
milos.dk. 1799 IN RRSIG SOA 13 2 3600 20160708221452 20160706201452
35273 milos.dk. CnujTN78WC7cTmVqkavyLDVpUIt2eUoMxRdoK3R3rOSGPfg15A5Zhigt
zpMzixRc9WtzbXNa+/qT8d9dolmk8Q==

I suspect that this is cloudflare being very clever again, and I can
guess how it might be confusing dnsmasq, but it's going to be difficult
to test when it confuses google too.

Cheers,

Simon.

Post by Toke HÃ¸iland-JÃ¸rgensen
This is with dnsmasq 2.76.
-Toke
_______________________________________________
Dnsmasq-discuss mailing list
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss