[Dnsmasq-discuss] dnsmasq and "AD" flag forwarding

Tomas Hozza thozza at redhat.com
Wed Dec 11 13:52:26 GMT 2013


Hi.

I have been trying to understand what --proxy-dnssec option does.

>From what I understand if NOT used, dnsmasq will NOT forward the
AD flag set by the upstream server to its clients.

If the --proxy-dnssec option is used, dnsmasq WILL forward the
AD flag in the DNS answer IF it was set by the upstream server.

If this is correct, then the dnsmasq behaviour differs.

I run:
[root at localhost ~]# dnsmasq -d --bind-interfaces --interface=lo --server=8.8.8.8 --no-resolv
dnsmasq: started, version 2.68 cachesize 150
dnsmasq: compile time options: IPv6 GNU-getopt DBus no-i18n IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth
dnsmasq: using nameserver 8.8.8.8#53
dnsmasq: read /etc/hosts - 2 addresses


and then on the same machine I run DIG:
[root at localhost ~]# dig @127.0.0.1 nic.cz

; <<>> DiG 9.9.4-RedHat-9.9.4-8.fc20 <<>> @127.0.0.1 nic.cz
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35121
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;nic.cz.				IN	A

;; ANSWER SECTION:
nic.cz.			865	IN	A	217.31.205.50

;; Query time: 29 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Dec 11 14:47:11 CET 2013
;; MSG SIZE  rcvd: 51

[root at localhost ~]# dig @127.0.0.1 nic.cz

; <<>> DiG 9.9.4-RedHat-9.9.4-8.fc20 <<>> @127.0.0.1 nic.cz
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39434
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;nic.cz.				IN	A

;; ANSWER SECTION:
nic.cz.			863	IN	A	217.31.205.50

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Dec 11 14:47:13 CET 2013
;; MSG SIZE  rcvd: 40


You can see that after dnsmasq caches the answer it sets AD flag for
every subsequent query received from client.

If I set the the --cache-size=0, AD flag is never set. Also subsequent
queries look fine.


However if I run dnsmasq as follows:
[root at localhost ~]# dnsmasq -d --bind-interfaces --interface=lo --server=8.8.8.8 --no-resolv --cache-size=0 --proxy-dnssec
dnsmasq: started, version 2.68 cache disabled
dnsmasq: compile time options: IPv6 GNU-getopt DBus no-i18n IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth
dnsmasq: using nameserver 8.8.8.8#53
dnsmasq: read /etc/hosts - 2 addresses

Then the AD flag is never forwarded to the client:
[root at localhost ~]# dig @127.0.0.1 nic.cz

; <<>> DiG 9.9.4-RedHat-9.9.4-8.fc20 <<>> @127.0.0.1 nic.cz
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34661
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;nic.cz.				IN	A

;; ANSWER SECTION:
nic.cz.			670	IN	A	217.31.205.50

;; Query time: 26 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Dec 11 14:50:25 CET 2013
;; MSG SIZE  rcvd: 51

[root at localhost ~]# dig @127.0.0.1 nic.cz

; <<>> DiG 9.9.4-RedHat-9.9.4-8.fc20 <<>> @127.0.0.1 nic.cz
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44968
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;nic.cz.				IN	A

;; ANSWER SECTION:
nic.cz.			1034	IN	A	217.31.205.50

;; Query time: 25 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Dec 11 14:50:30 CET 2013
;; MSG SIZE  rcvd: 51

[root at localhost ~]# dig @8.8.8.8 nic.cz

; <<>> DiG 9.9.4-RedHat-9.9.4-8.fc20 <<>> @8.8.8.8 nic.cz
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17357
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;nic.cz.				IN	A

;; ANSWER SECTION:
nic.cz.			993	IN	A	217.31.205.50

;; Query time: 23 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Dec 11 14:51:10 CET 2013
;; MSG SIZE  rcvd: 51


As you can see, the 8.8.8.8 server sets the AD flag in the response.

Is this a bug or am I doing something wrong?

Thanks!

Regards,

Tomas Hozza



More information about the Dnsmasq-discuss mailing list