[Dnsmasq-discuss] Testers wanted: DNSSEC.

Simon Kelley simon at thekelleys.org.uk
Wed Feb 5 08:39:50 GMT 2014 

On 04/02/14 23:31, Eugene Rudoy wrote:
> Hi Simon,
>
> hmm, doesn't work for me yet. *All* replies are considered to be INSECURE.
>
> Feb  5 00:14:50 fb daemon.info dnsmasq[4022]: started, version
> 2.69test6 cachesize 256
> Feb  5 00:14:50 fb daemon.info dnsmasq[4022]: compile time options:
> no-IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP
> no-conntrack ipset auth DNSSEC
> Feb  5 00:14:50 fb daemon.info dnsmasq[4022]: DNSSEC validation enabled
> Feb  5 00:14:50 fb daemon.info dnsmasq[4022]: asynchronous logging
> enabled, queue limit is 10 messages
> Feb  5 00:14:50 fb daemon.info dnsmasq-dhcp[4022]: DHCP, IP range
> 192.168.xx.20 -- 192.168.xx.99, lease time 12h
> Feb  5 00:14:50 fb daemon.info dnsmasq-tftp[4022]: TFTP root is /tftproot
> Feb  5 00:14:50 fb daemon.info dnsmasq[4022]: using nameserver 8.8.4.4#53
> Feb  5 00:14:50 fb daemon.info dnsmasq[4022]: using nameserver 8.8.8.8#53
> Feb  5 00:14:50 fb daemon.info dnsmasq[4022]: read /etc/hosts - 23 addresses
> Feb  5 00:14:50 fb daemon.info dnsmasq-dhcp[4022]: read /etc/ethers -
> 3 addresses
>
> Feb  5 00:22:19 fb daemon.info dnsmasq[4022]: query[A] www.google.com
> from 192.168.xx.20
> Feb  5 00:22:19 fb daemon.info dnsmasq[4022]: forwarded www.google.com
> to 8.8.8.8
> Feb  5 00:22:19 fb daemon.info dnsmasq[4022]: validation result is INSECURE
> Feb  5 00:22:19 fb daemon.info dnsmasq[4022]: reply www.google.com is
> 173.194.69.99
> Feb  5 00:22:19 fb daemon.info dnsmasq[4022]: reply www.google.com is
> 173.194.69.103
> Feb  5 00:22:19 fb daemon.info dnsmasq[4022]: reply www.google.com is
> 173.194.69.106
> Feb  5 00:22:19 fb daemon.info dnsmasq[4022]: reply www.google.com is
> 173.194.69.147
> Feb  5 00:22:19 fb daemon.info dnsmasq[4022]: reply www.google.com is
> 173.194.69.105
> Feb  5 00:22:19 fb daemon.info dnsmasq[4022]: reply www.google.com is
> 173.194.69.104
>
> Feb  5 00:22:58 fb daemon.info dnsmasq[4022]: query[A]
> www.facebook.com from 192.168.xx.20
> Feb  5 00:22:58 fb daemon.info dnsmasq[4022]: forwarded
> www.facebook.com to 8.8.8.8
> Feb  5 00:22:58 fb daemon.info dnsmasq[4022]: validation result is INSECURE
> Feb  5 00:22:58 fb daemon.info dnsmasq[4022]: reply www.facebook.com is <CNAME>
> Feb  5 00:22:58 fb daemon.info dnsmasq[4022]: reply
> star.c10r.facebook.com is 31.13.81.49
>

Most zones (including those you use as examples) are not (yet) signed, 
so that's the expected result.

Try

paypal.com
ietf.org
www.dnssec-failed.org

Cheers,

Simon.

More information about the Dnsmasq-discuss mailing list