Discussion:
[Dnsmasq-discuss] Cannot look up disa.mil (dnssec related)
Craig Andrews
2018-10-22 16:56:08 UTC
Permalink
I'm unable to look up *.disa.mil when using dnsmasq - I'm hoping that we
can figure out why that is.

I have dnsmasq configured to use Cloudflare's 1.1.1.1 as its upstream
DNS server; dnsmasq is running on 192.168.0.1.

Here are some a couple tests demonstrating the problem:
------
$ dig disa.mil @192.168.0.1 +dnssec +short
<no output>
$ dig disa.mil @8.8.8.8 +dnssec +short
156.112.108.76
A 8 2 7200 20181117145327 20181018145327 52983 disa.mil.
dMS5WbQ5xJ0HuCBPZUkuoshf0A2n1tvxA75smhcFZNS5SHSOA0zsQaSc
YOzNdu5gH6qFXA7TbKhPYN0RcPD+vVcmtfbzv3eJZfh4343IXlBznG6w
aLaLt+kI6GGnPQ7skNWOcO4yLct+yaeNxTT95CZnHtwRUx3vzGHS3dJF GYc=
[***@craigatwork vars]$ dig disa.mil @1.1.1.1 +dnssec +short
156.112.108.76
------
So looking it up using Google's 8.8.8.8 or Cloudflare's 1.1.1.1 with
dnssec works, but not with dnsmasq.

------
# dnsmasq --version
Dnsmasq version 2.80test3 Copyright (c) 2000-2018 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6
no-Lua TFTP conntrack ipset auth DNSSEC no-ID loop-detect inotify
dumpfile

This software comes with ABSOLUTELY NO WARRANTY.
Dnsmasq is free software, and you are welcome to redistribute it
under the terms of the GNU General Public License, version 2 or 3.
------

Thanks in advance for your help and for this great software,
~Craig
Matthias Andree
2018-10-22 21:34:01 UTC
Permalink
Post by Craig Andrews
I'm unable to look up *.disa.mil when using dnsmasq - I'm hoping that
we can figure out why that is.
156.112.108.76
A 8 2 7200 20181117145327 20181018145327 52983 disa.mil.
dMS5WbQ5xJ0HuCBPZUkuoshf0A2n1tvxA75smhcFZNS5SHSOA0zsQaSc
YOzNdu5gH6qFXA7TbKhPYN0RcPD+vVcmtfbzv3eJZfh4343IXlBznG6w
aLaLt+kI6GGnPQ7skNWOcO4yLct+yaeNxTT95CZnHtwRUx3vzGHS3dJF GYc=
156.112.108.76
A 8 2 7200 20181117145327 20181018145327 52983 disa.mil.
dMS5WbQ5xJ0HuCBPZUkuoshf0A2n1tvxA75smhcFZNS5SHSOA0zsQaSc
YOzNdu5gH6qFXA7TbKhPYN0RcPD+vVcmtfbzv3eJZfh4343IXlBznG6w
aLaLt+kI6GGnPQ7skNWOcO4yLct+yaeNxTT95CZnHtwRUx3vzGHS3dJF GYc=
Note however that 1.1.1.1 does NOT return dnssec info, just the bare
address, which may already be the point... use it in dig's @... option
to see the difference to Google's DNS resolver.

HTH,
Matthias
Simon Kelley
2018-10-22 22:10:06 UTC
Permalink
Post by Craig Andrews
I'm unable to look up *.disa.mil when using dnsmasq - I'm hoping that we
can figure out why that is.
I have dnsmasq configured to use Cloudflare's 1.1.1.1 as its upstream
DNS server; dnsmasq is running on 192.168.0.1.
------
<no output>
156.112.108.76
A 8 2 7200 20181117145327 20181018145327 52983 disa.mil.
dMS5WbQ5xJ0HuCBPZUkuoshf0A2n1tvxA75smhcFZNS5SHSOA0zsQaSc
YOzNdu5gH6qFXA7TbKhPYN0RcPD+vVcmtfbzv3eJZfh4343IXlBznG6w
aLaLt+kI6GGnPQ7skNWOcO4yLct+yaeNxTT95CZnHtwRUx3vzGHS3dJF GYc=
156.112.108.76
------
So looking it up using Google's 8.8.8.8 or Cloudflare's 1.1.1.1 with
dnssec works, but not with dnsmasq.
------
# dnsmasq --version
Dnsmasq version 2.80test3  Copyright (c) 2000-2018 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6
no-Lua TFTP conntrack ipset auth DNSSEC no-ID loop-detect inotify dumpfile
This software comes with ABSOLUTELY NO WARRANTY.
Dnsmasq is free software, and you are welcome to redistribute it
under the terms of the GNU General Public License, version 2 or 3.
------
Thanks in advance for your help and for this great software,
~Craig
I can reproduce this, and checking with DNSviz doesn't show any problems
with the domain, so this could well be a dnsmasq/DNSSEC problem.

I'll try and find time to do some forensics on it in the next day or two.


Cheers,

Simon.
Dominik DL6ER
2018-10-23 05:38:54 UTC
Permalink
Hey all,

it seems to be working fine for me with dnsmasq v2.80. I'm also running
a local unbound instance which is why queries are getting forwarded to
127.0.0.1.

$ dig disa.mil @127.0.0.1 +dnssec +short
156.112.108.76
A 8 2 7200 20181117145327 20181018145327 52983 disa.mil.
dMS5WbQ5xJ0HuCBPZUkuoshf0A2n1tvxA75smhcFZNS5SHSOA0zsQaSc
YOzNdu5gH6qFXA7TbKhPYN0RcPD+vVcmtfbzv3eJZfh4343IXlBznG6w
aLaLt+kI6GGnPQ7skNWOcO4yLct+yaeNxTT95CZnHtwRUx3vzGHS3dJF GYc=

relevant dnsmasq log excerpt:
Oct 23 07:29:54 dnsmasq[19772]: 1 127.0.0.1/49375 query[A] disa.mil
from 127.0.0.1
Oct 23 07:29:54 dnsmasq[19772]: 1 127.0.0.1/49375 forwarded disa.mil to
127.0.0.1
Oct 23 07:29:54 dnsmasq[19772]: * 127.0.0.1/49375 dnssec-query[DS] mil
to 127.0.0.1
Oct 23 07:29:54 dnsmasq[19772]: * 127.0.0.1/49375 dnssec-query[DNSKEY]
. to 127.0.0.1
Oct 23 07:29:54 dnsmasq[19772]: * 127.0.0.1/49375 reply . is DNSKEY
keytag 2134, algo 8
Oct 23 07:29:54 dnsmasq[19772]: * 127.0.0.1/49375 reply . is DNSKEY
keytag 19036, algo 8
Oct 23 07:29:54 dnsmasq[19772]: * 127.0.0.1/49375 reply . is DNSKEY
keytag 20326, algo 8
Oct 23 07:29:54 dnsmasq[19772]: * 127.0.0.1/49375 reply mil is DS
keytag 59896, algo 8, digest 2
Oct 23 07:29:54 dnsmasq[19772]: * 127.0.0.1/49375 reply mil is DS
keytag 59896, algo 8, digest 1
Oct 23 07:29:54 dnsmasq[19772]: * 127.0.0.1/49375 dnssec-query[DS]
disa.mil to 127.0.0.1
Oct 23 07:29:54 dnsmasq[19772]: * 127.0.0.1/49375 dnssec-query[DNSKEY]
mil to 127.0.0.1
Oct 23 07:29:54 dnsmasq[19772]: * 127.0.0.1/49375 reply mil is DNSKEY
keytag 59896, algo 8
Oct 23 07:29:54 dnsmasq[19772]: * 127.0.0.1/49375 reply mil is DNSKEY
keytag 39600, algo 8
Oct 23 07:29:54 dnsmasq[19772]: * 127.0.0.1/49375 reply mil is DNSKEY
keytag 693, algo 8
Oct 23 07:29:54 dnsmasq[19772]: * 127.0.0.1/49375 reply disa.mil is DS
keytag 8665, algo 8, digest 2
Oct 23 07:29:54 dnsmasq[19772]: * 127.0.0.1/49375 reply disa.mil is DS
keytag 8665, algo 8, digest 1
Oct 23 07:29:54 dnsmasq[19772]: * 127.0.0.1/49375 dnssec-query[DNSKEY]
disa.mil to 127.0.0.1
Oct 23 07:29:54 dnsmasq[19772]: * 127.0.0.1/49375 reply disa.mil is
DNSKEY keytag 52983, algo 8
Oct 23 07:29:54 dnsmasq[19772]: * 127.0.0.1/49375 reply disa.mil is
DNSKEY keytag 8665, algo 8
Oct 23 07:29:54 dnsmasq[19772]: 1 127.0.0.1/49375 validation result is
SECURE
Oct 23 07:29:54 dnsmasq[19772]: 1 127.0.0.1/49375 reply disa.mil is
156.112.108.76

Best,
Dominik
Post by Simon Kelley
Post by Craig Andrews
I'm unable to look up *.disa.mil when using dnsmasq - I'm hoping that we
can figure out why that is.
I have dnsmasq configured to use Cloudflare's 1.1.1.1 as its
upstream
DNS server; dnsmasq is running on 192.168.0.1.
------
<no output>
156.112.108.76
A 8 2 7200 20181117145327 20181018145327 52983 disa.mil.
dMS5WbQ5xJ0HuCBPZUkuoshf0A2n1tvxA75smhcFZNS5SHSOA0zsQaSc
YOzNdu5gH6qFXA7TbKhPYN0RcPD+vVcmtfbzv3eJZfh4343IXlBznG6w
aLaLt+kI6GGnPQ7skNWOcO4yLct+yaeNxTT95CZnHtwRUx3vzGHS3dJF GYc=
156.112.108.76
------
So looking it up using Google's 8.8.8.8 or Cloudflare's 1.1.1.1 with
dnssec works, but not with dnsmasq.
------
# dnsmasq --version
Dnsmasq version 2.80test3 Copyright (c) 2000-2018 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6
no-Lua TFTP conntrack ipset auth DNSSEC no-ID loop-detect inotify dumpfile
This software comes with ABSOLUTELY NO WARRANTY.
Dnsmasq is free software, and you are welcome to redistribute it
under the terms of the GNU General Public License, version 2 or 3.
------
Thanks in advance for your help and for this great software,
~Craig
I can reproduce this, and checking with DNSviz doesn't show any problems
with the domain, so this could well be a dnsmasq/DNSSEC problem.
I'll try and find time to do some forensics on it in the next day or two.
Cheers,
Simon.
_______________________________________________
Dnsmasq-discuss mailing list
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Neil Jerram
2018-10-22 22:28:16 UTC
Permalink
Something to do with the recent change of the root DNSSEC key?

(dnsmasq has the new key in its codebase, but perhaps your config
isn't pulling it in correctly?)
Post by Craig Andrews
I'm unable to look up *.disa.mil when using dnsmasq - I'm hoping that we
can figure out why that is.
I have dnsmasq configured to use Cloudflare's 1.1.1.1 as its upstream
DNS server; dnsmasq is running on 192.168.0.1.
------
<no output>
156.112.108.76
A 8 2 7200 20181117145327 20181018145327 52983 disa.mil.
dMS5WbQ5xJ0HuCBPZUkuoshf0A2n1tvxA75smhcFZNS5SHSOA0zsQaSc
YOzNdu5gH6qFXA7TbKhPYN0RcPD+vVcmtfbzv3eJZfh4343IXlBznG6w
aLaLt+kI6GGnPQ7skNWOcO4yLct+yaeNxTT95CZnHtwRUx3vzGHS3dJF GYc=
156.112.108.76
------
So looking it up using Google's 8.8.8.8 or Cloudflare's 1.1.1.1 with
dnssec works, but not with dnsmasq.
------
# dnsmasq --version
Dnsmasq version 2.80test3 Copyright (c) 2000-2018 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6
no-Lua TFTP conntrack ipset auth DNSSEC no-ID loop-detect inotify
dumpfile
This software comes with ABSOLUTELY NO WARRANTY.
Dnsmasq is free software, and you are welcome to redistribute it
under the terms of the GNU General Public License, version 2 or 3.
------
Thanks in advance for your help and for this great software,
~Craig
_______________________________________________
Dnsmasq-discuss mailing list
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Simon Kelley
2018-10-23 21:57:36 UTC
Permalink
Post by Craig Andrews
I'm unable to look up *.disa.mil when using dnsmasq - I'm hoping that we
can figure out why that is.
I have dnsmasq configured to use Cloudflare's 1.1.1.1 as its upstream
DNS server; dnsmasq is running on 192.168.0.1.
------
<no output>
156.112.108.76
A 8 2 7200 20181117145327 20181018145327 52983 disa.mil.
dMS5WbQ5xJ0HuCBPZUkuoshf0A2n1tvxA75smhcFZNS5SHSOA0zsQaSc
YOzNdu5gH6qFXA7TbKhPYN0RcPD+vVcmtfbzv3eJZfh4343IXlBznG6w
aLaLt+kI6GGnPQ7skNWOcO4yLct+yaeNxTT95CZnHtwRUx3vzGHS3dJF GYc=
156.112.108.76
------
So looking it up using Google's 8.8.8.8 or Cloudflare's 1.1.1.1 with
dnssec works, but not with dnsmasq.
As Matthias says elsewhere in the thread, the last sentence above
appears not to be correct: it does work with 8.8.8.8, but not with 1.1.1.1

***@holly:~$ dig disa.mil @8.8.8.8 +dnssec +short
156.112.108.76
A 8 2 7200 20181117145327 20181018145327 52983 disa.mil.
dMS5WbQ5xJ0HuCBPZUkuoshf0A2n1tvxA75smhcFZNS5SHSOA0zsQaSc
YOzNdu5gH6qFXA7TbKhPYN0RcPD+vVcmtfbzv3eJZfh4343IXlBznG6w
aLaLt+kI6GGnPQ7skNWOcO4yLct+yaeNxTT95CZnHtwRUx3vzGHS3dJF GYc=
***@holly:~$ dig disa.mil @1.1.1.1 +dnssec +short
156.112.108.76


The replies from 1.1.1.1 are missing the DNSSEC signatures, and this
appears to be a problem at Cloudflare, rather than a problem with
dnsmasq, or with the domain.

If I use 8.8.8.8 as upstream, dnsmasq validates fine. If I use 1.1.1.1
validation fails, because 1.1.1.1 is not returning the RRSIG RRs, even
though it's been asked to. Without those RRSIGs the reply can't be
validated.

This problem with 1.1.1.1 seems to extend to many more .mil domains.

TL;DR. Not a dnsmasq problem, not a domain problem, probably a
Cloudflare problem.

Craig, please could you report this to Cloudflare?


Cheers,

Simon.
Craig Andrews
2018-10-24 03:13:32 UTC
Permalink
Post by Simon Kelley
Post by Craig Andrews
I'm unable to look up *.disa.mil when using dnsmasq - I'm hoping that we
can figure out why that is.
I have dnsmasq configured to use Cloudflare's 1.1.1.1 as its upstream
DNS server; dnsmasq is running on 192.168.0.1.
------
<no output>
156.112.108.76
A 8 2 7200 20181117145327 20181018145327 52983 disa.mil.
dMS5WbQ5xJ0HuCBPZUkuoshf0A2n1tvxA75smhcFZNS5SHSOA0zsQaSc
YOzNdu5gH6qFXA7TbKhPYN0RcPD+vVcmtfbzv3eJZfh4343IXlBznG6w
aLaLt+kI6GGnPQ7skNWOcO4yLct+yaeNxTT95CZnHtwRUx3vzGHS3dJF GYc=
156.112.108.76
------
So looking it up using Google's 8.8.8.8 or Cloudflare's 1.1.1.1 with
dnssec works, but not with dnsmasq.
As Matthias says elsewhere in the thread, the last sentence above
appears not to be correct: it does work with 8.8.8.8, but not with 1.1.1.1
156.112.108.76
A 8 2 7200 20181117145327 20181018145327 52983 disa.mil.
dMS5WbQ5xJ0HuCBPZUkuoshf0A2n1tvxA75smhcFZNS5SHSOA0zsQaSc
YOzNdu5gH6qFXA7TbKhPYN0RcPD+vVcmtfbzv3eJZfh4343IXlBznG6w
aLaLt+kI6GGnPQ7skNWOcO4yLct+yaeNxTT95CZnHtwRUx3vzGHS3dJF GYc=
156.112.108.76
The replies from 1.1.1.1 are missing the DNSSEC signatures, and this
appears to be a problem at Cloudflare, rather than a problem with
dnsmasq, or with the domain.
If I use 8.8.8.8 as upstream, dnsmasq validates fine. If I use 1.1.1.1
validation fails, because 1.1.1.1 is not returning the RRSIG RRs, even
though it's been asked to. Without those RRSIGs the reply can't be
validated.
This problem with 1.1.1.1 seems to extend to many more .mil domains.
TL;DR. Not a dnsmasq problem, not a domain problem, probably a
Cloudflare problem.
Craig, please could you report this to Cloudflare?
Cheers,
Simon.
Thanks for correcting my misunderstanding of this issue!

I've reported the issue to Cloudflare at
https://community.cloudflare.com/t/1-1-1-1-doesnt-return-dnssec-data-for-disa-mil-googles-8-8-8-8-does/40837

Thanks,
~Craig

Loading...