[Dnsmasq-discuss] losing RRSIGS in dnsmasq 2.73rc3

Thu Apr 2 21:43:09 BST 2015

On Thu, Apr 2, 2015 at 1:08 PM, Simon Kelley <simon at thekelleys.org.uk> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I get a BOGUS validation because there's no DS record for bufferbloat.ne
> t
>
> bufferbloat.net uses dlv.isc.org, which dnsmasq doesn't support. I
> think we went round this loop last year sometime.

I have to admit that we have not looked at how we did dnssec 4+ years
back. It does (now) just appear that we are misconfigured. Attempts
to reach www.ietf.org always return the RRSIGS.

>
> What are you doing which allows this to validate? Maybe a configured
> trust-anchor for bufferbloat.net? I guess the first answer is being
> returned from upstream, and the second is coming from the dnsmasq
> cache. It should have RRSIGs never-the-less, but I can't work out
> what's happening until I understand how you're getting validation at all
> .

I have no idea. I used comcast´s upstream resolvers.

(Next up for me is hammering dnssec via as many ways as I can come up with
over ipv6, btw)

>
>
> Cheers,
>
>
> Simon.
>
>
>
>
>
>
> On 02/04/15 20:10, Dave Taht wrote:
>> So I am testing with the latest 2.73 release candidate3.
>>
>> I do TWO dnssec queries on the same domain.
>>
>> The first, does the right thing. The second, does not give me the
>> RRSIGs.
>>
>>
>> d at nuc-client:~/public_html/archer_c7_O2$ dig www.bufferbloat.net
>> +dnssec +multi
>>
>> ; <<>> DiG 9.9.5-3ubuntu0.1-Ubuntu <<>> www.bufferbloat.net
>> +dnssec +multi ;; global options: +cmd ;; Got answer: ;;
>> ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38038 ;; flags: qr
>> rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
>>
>> ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4000 ;;
>> QUESTION SECTION: ;www.bufferbloat.net.    IN A
>>
>> ;; ANSWER SECTION: www.bufferbloat.net.    86400 IN CNAME
>> shipka.bufferbloat.net. www.bufferbloat.net.    86400 IN RRSIG
>> CNAME 7 3 86400 ( 20150430231644 20150331223348 6560
>> bufferbloat.net. qVWE6+j4ESNbRoulnJO9FoDdSCWCpghIE2Pe9f0wGaF5
>> lSdVv5S1A2S6P5YrZaWajp8BWPO/cliXjwStNQdoQ5Et
>> YtHgrDZAMj1hW2CVR8TPWaa+I2R5jnmqbdTslBBCxkpG
>> 2vFLB6SioH8oh4JYtujD3K0XxOY543MclW7FF60= ) shipka.bufferbloat.net.
>> 86400 IN A 149.20.54.81 shipka.bufferbloat.net.    86400 IN RRSIG
>> A 7 3 86400 ( 20150430184126 20150331182930 6560 bufferbloat.net.
>> QPy1G/6ho5zIbPA8KUKFKjFYVCOvib454oRvaQ1cvfZZ
>> vLyvd8zUmLw8nxAa3hcsU1MZlLAo1ELPEOac8/ND0FkZ
>> Wp8wm/OTajoFM9/cOZqFNXkPBdsboqlSo0+EBJiROuzI
>> u2S8PtoC0y7gJdjeRIXHhoYsv+TeZm9TtrCGBK4= )
>>
>> ;; Query time: 34 msec ;; SERVER: 192.168.1.1#53(192.168.1.1) ;;
>> WHEN: Thu Apr 02 12:04:27 PDT 2015 ;; MSG SIZE  rcvd: 435
>>
>> d at nuc-client:~/public_html/archer_c7_O2$ dig www.bufferbloat.net
>> +dnssec +multi
>>
>> ; <<>> DiG 9.9.5-3ubuntu0.1-Ubuntu <<>> www.bufferbloat.net
>> +dnssec +multi ;; global options: +cmd ;; Got answer: ;;
>> ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61475 ;; flags: qr
>> rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
>>
>> ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;;
>> QUESTION SECTION: ;www.bufferbloat.net.    IN A
>>
>> ;; ANSWER SECTION: www.bufferbloat.net.    86397 IN CNAME
>> shipka.bufferbloat.net. shipka.bufferbloat.net.    86397 IN A
>> 149.20.54.81
>>
>> ;; Query time: 0 msec ;; SERVER: 192.168.1.1#53(192.168.1.1) ;;
>> WHEN: Thu Apr 02 12:04:30 PDT 2015 ;; MSG SIZE  rcvd: 100
>>
>>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (GNU/Linux)
>
> iEYEARECAAYFAlUdocsACgkQKPyGmiibgrfJ2wCdEFNDy+Pefl6OJ2TIFintaIs2
> 7c8An1JA7D0CpD+FxhOKU7o/bajnEmkL
> =YJ6J
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

-- 
Dave Täht
Let's make wifi fast, less jittery and reliable again!

https://plus.google.com/u/0/107942175615993706558/posts/TVX3o84jjmb