[Dnsmasq-discuss] bugs.gentoo.org and dnssec

Simon Kelley simon at thekelleys.org.uk
Tue Apr 21 19:41:27 BST 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


Thanks for the report. I just tested 2.72 and the current code in git,
and both worked fine, using Google public DNS (8.8.8.8) as upstream.


What do you know about the upstream server you're forwarding to? Is
there a possibility that it's "fiddling" with the data it supplies?


Cheers,

Simon.


On 21/04/15 18:55, Alon Bar-Lev wrote:
> Hi,
> 
> When using bugs.gentoo.org with dnsmasq-2.72 and dnssec enabled, I
> cannot access attachments.
> 
> The attachments are forwarded to a CNAME, for example: --- 
> 546330.bugs.gentoo.org. 60      IN      CNAME
> bugs-gossamer.gentoo.org. bugs-gossamer.gentoo.org. 300   IN
> CNAME   gannet.gentoo.org. gannet.gentoo.org.      604800  IN
> A       204.187.15.4 ---
> 
> When trying to access without dnssec all is ok: --- Apr 21 20:19:04
> [dnsmasq] query[A] 546330.bugs.gentoo.org from 127.0.0.1 Apr 21
> 20:19:04 [dnsmasq] forwarded 546330.bugs.gentoo.org to 192.168.1.1 
> Apr 21 20:19:04 [dnsmasq] validation result is INSECURE Apr 21
> 20:19:04 [dnsmasq] reply 546330.bugs.gentoo.org is <CNAME> Apr 21
> 20:19:04 [dnsmasq] reply bugs-gossamer.gentoo.org is <CNAME> Apr 21
> 20:19:04 [dnsmasq] reply gannet.gentoo.org is 204.187.15.4 ---
> 
> When trying to access with dnssec, notice the "validation result
> is BOGUS", no result is returned: --- Apr 21 20:09:33 [dnsmasq]
> query[A] 546330.bugs.gentoo.org from 127.0.0.1 Apr 21 20:09:33
> [dnsmasq] forwarded 546330.bugs.gentoo.org to 10.38.5.26 Apr 21
> 20:09:33 [dnsmasq] dnssec-query[DNSKEY] gentoo.org to 10.38.5.26 
> Apr 21 20:09:33 [dnsmasq] dnssec-query[DS] gentoo.org to
> 10.38.5.26 Apr 21 20:09:33 [dnsmasq] dnssec-query[DNSKEY] 8.8org to
> 10.38.5.26 Apr 21 20:09:33 [dnsmasq] dnssec-query[DS] org to
> 10.38.5.26 Apr 21 20:09:33 [dnsmasq] dnssec-query[DNSKEY] . to
> 10.38.5.26 Apr 21 20:09:33 [dnsmasq] reply . is DNSKEY keytag
> 19036 Apr 21 20:09:33 [dnsmasq] reply . is DNSKEY keytag 48613 Apr
> 21 20:09:33 [dnsmasq] reply org is DS keytag 21366 - Last output
> repeated twice - Apr 21 20:09:33 [dnsmasq] reply org is DNSKEY
> keytag 3213 Apr 21 20:09:33 [dnsmasq] reply org is DNSKEY keytag
> 21366 Apr 21 20:09:33 [dnsmasq] reply org is DNSKEY keytag 9795 Apr
> 21 20:09:33 [dnsmasq] reply org is DNSKEY keytag 34023 Apr 21
> 20:09:33 [dnsmasq] reply gentoo.org is DS keytag 46873 - Last
> output repeated twice - Apr 21 20:09:33 [dnsmasq] reply gentoo.org
> is DNSKEY keytag 52980 Apr 21 20:09:33 [dnsmasq] reply gentoo.org
> is DNSKEY keytag 46873 Apr 21 20:09:33 [dnsmasq] validation result
> is BOGUS Apr 21 20:09:33 [dnsmasq] reply 546330.bugs.gentoo.org is
> <CNAME> Apr 21 20:09:33 [dnsmasq] reply bugs-gossamer.gentoo.org is
> <CNAME> Apr 21 20:09:33 [dnsmasq] reply gannet.gentoo.org is
> 204.187.15.4 ---
> 
> Maybe it is local issue of the dns I am using (I have no access to 
> it), but maybe there is a issue at dnsmasq.
> 
> Peer reported that local unbound is working properly.
> 
> Regards, Alon Bar-Lev.
> 
> _______________________________________________ Dnsmasq-discuss
> mailing list Dnsmasq-discuss at lists.thekelleys.org.uk 
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJVNpnRAAoJEBXN2mrhkTWiUQMP/AiTWkiSbANZLrNpGAZoAsq2
TZBM0vimZX9cX6OsFQeDeAAiwzNoFL2oG22YL7oQXWyEJUjl4qlFS/aznrj1QlpJ
nf3gNqedkgK7XLj+tRJSmbNohEcD2xvSiX1nIhO0GZ29lVBzmNLSicgyvqjCEkcd
GUCrkbQiEmiiQmG6EOm0f8Jr5xIp24FwY2TZ9ZfEiU4+hx5KrU2z5uMczZPBQuMo
eUDuHhbS1et3kTbqP/p929OhdOrxEn0i9mDj360qoVy8XbYTPLZRCUVppSBXh32J
SpieR6evHjvcMTDPLVnrsP/H7IUbgoyJYE5E5m6gfI57tlkurNKjjQnrKgAV+S2l
Oxu5Ld4uN8Bb7n/MgH4p6n9I7RPIkGRR9nSlPrbJOCJhktzS+dBh80lP2N1mXScf
B6yn9Mo7yJ6ji66u/4A0lcDvafTeIGDdv54GjC76TNprXe7z3WvJyJDYhbelDadw
Sp+8pwtUbR4aCC21wHURMfxurAcmUVZ0mB9hnxfsnvsCBmFSpr4XetRXS+sIo3+X
mM3eITiIcHFh3pW3kWUjucgVl494GGO0Dq1hgjv4LFkqHQtY290hliQmBTKnat9Z
SZqmGRwQWK4QsVkHznbBHRCwozwgftR9O5s66GPQFDiZBDHZvvzasn8qpDbYzLy5
IS86yr7FndM4zrwfLxdR
=/Iup
-----END PGP SIGNATURE-----



More information about the Dnsmasq-discuss mailing list