[Dnsmasq-discuss] DNSSEC Problems

Simon Gebler sige.bo at gmail.com
Thu Oct 16 13:37:22 BST 2014


First off, I'm using Version 2.71 on OpenWRT.
Anyways, it seems to fail to verify my own Domain stripeyc.at, despite all
claims from dnsviz.net and the verisign DNSSEC-Debugger that everything is
in proper order.

>From the log:

Thu Oct 16 14:24:56 2014 daemon.info dnsmasq[10111]: query[A] stripeyc.at
from 10.0.1.201
Thu Oct 16 14:24:56 2014 daemon.info dnsmasq[10111]: forwarded stripeyc.at
to 85.214.20.141
Thu Oct 16 14:24:56 2014 daemon.info dnsmasq[10111]: dnssec-query[DNSKEY]
stripeyc.at to 85.214.20.141
Thu Oct 16 14:24:56 2014 daemon.info dnsmasq[10111]: dnssec-query[DS]
stripeyc.at to 85.214.20.141
Thu Oct 16 14:24:56 2014 daemon.info dnsmasq[10111]: dnssec-query[DNSKEY]
at to 85.214.20.141
Thu Oct 16 14:24:56 2014 daemon.info dnsmasq[10111]: dnssec-query[DS] at to
85.214.20.141
Thu Oct 16 14:24:56 2014 daemon.info dnsmasq[10111]: reply at is DS keytag
60836
Thu Oct 16 14:24:56 2014 daemon.info dnsmasq[10111]: reply at is DS keytag
56489
Thu Oct 16 14:24:56 2014 daemon.info dnsmasq[10111]: reply at is DNSKEY
keytag 60836
Thu Oct 16 14:24:56 2014 daemon.info dnsmasq[10111]: reply at is DNSKEY
keytag 56489
Thu Oct 16 14:24:56 2014 daemon.info dnsmasq[10111]: reply at is DNSKEY
keytag 29940
Thu Oct 16 14:24:56 2014 daemon.info dnsmasq[10111]: reply at is DNSKEY
keytag 7909
Thu Oct 16 14:24:56 2014 daemon.info dnsmasq[10111]: reply stripeyc.at is
DS keytag 55690
Thu Oct 16 14:24:56 2014 daemon.info dnsmasq[10111]: reply stripeyc.at is
DS keytag 55690
Thu Oct 16 14:24:56 2014 daemon.info dnsmasq[10111]: reply stripeyc.at is
BOGUS DNSKEY
Thu Oct 16 14:24:56 2014 daemon.info dnsmasq[10111]: validation result is
BOGUS
Thu Oct 16 14:24:56 2014 daemon.info dnsmasq[10111]: reply stripeyc.at is
178.63.145.237

Thus, I can't access my own stuff when enabling DNSSEC, but other sites
like debian.org or posteo.de work like a charm.
I suspect it might have to do with the upstream DS record, because I have a
type 1 and 2, though both are valid. I might eventually remove the 1 one,
but it needs some contacting my registrar and I won't add it back in for
debugging purposes.

Either ways, i'm really wondering where exactly the problem seems to be so
I can either fix it or it can be fixed in the project

~ Simon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20141016/a4c8f0cb/attachment.html>


More information about the Dnsmasq-discuss mailing list