[Dnsmasq-discuss] bugs.gentoo.org and dnssec
Michael Tremer
michael.tremer at ipfire.org
Tue Apr 28 13:00:58 BST 2015
Hello,
I am not sure if I am experiencing the same bug here or if it is
somewhat different.
When I try accessing some domains that use DNSSEC (like ipfire.org does,
but this applies to other as well), I sometimes get SERVFAIL. This
happens usually for bigger replies where fragmentation comes into the
game.
I think that I do not have a general issue with fragmentation or some
issue with the upstream name servers, because everything goes well if I
send the same query directly without going through dnsmasq. See below.
dig ANY ipfire.org returns a huge number of records with lots of
signatures and can be used to reproduce the issue with various upstream
name servers. dnsmasq receives a truncated DNS reply (it's over 4k) and
opens a TCP connection. As soon as dnsmasq is using TCP, the answer to
the local system that made the request is always SERVFAIL.
It also happens with "dig ANY ietf.org", but works with "dig ANY
postbank.de" which replies with a DNS packet less than 4k.
Other people have reported the same and/or similar issue over here:
https://bugzilla.ipfire.org/show_bug.cgi?id=10786
They confirm that the issue also happens with 8.8.8.8.
I captured the packets that dnsmasq is sending out to the upstream name
servers and attached the pcap file.
What can we do about this problem? It essentially makes DNSSEC unusable
at the moment.
Best,
-Michael
+ dig ANY ipfire.org
;; Truncated, retrying in TCP mode.
; <<>> DiG 9.9.6-P1-RedHat-9.9.6-8.P1.fc21 <<>> ANY ipfire.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 43712
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;ipfire.org. IN ANY
;; Query time: 52 msec
;; SERVER: 192.168.180.1#53(192.168.180.1)
;; WHEN: Tue Apr 28 13:49:20 CEST 2015
;; MSG SIZE rcvd: 39
+ dig ANY ipfire.org @178.63.73.246
;; Truncated, retrying in TCP mode.
; <<>> DiG 9.9.6-P1-RedHat-9.9.6-8.P1.fc21 <<>> ANY ipfire.org @178.63.73.246
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30094
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 21, AUTHORITY: 0, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ipfire.org. IN ANY
;; ANSWER SECTION:
ipfire.org. 3571 IN A 178.63.73.246
ipfire.org. 3571 IN RRSIG A 8 2 3600 20150507000000 20150416000000 38274 ipfire.org. AafVd/T/gKOD35lqZihS89u4aH0T4YcIN3uWGihlF6ZufWk05zs9XBBj 8SAzs5yTOACe7Hb6iNpAr7B4TNvcqCfbDTkGRcfptaIoUl2CbJ015KSd OB2pHQxzzsGvqFc609egjP6cP4uh8cIK4JZ4iLD5ldT23x76nPWzUx4N d+ErCfq/UiWvf1vfuxIRP18otagfyK5AEG3U7VBoIH1rYtPov7LwbFmp EMRa27xWD/bYcMueDk9ojfgnqKK6jXQ8RqHoXR7SRsjV/HyCb6hSuTBc g+R+gykb/r082jTzon8kJKCcC7t7TWEdLY2WH+h1I3FN+f3iNhHoal/J l5cA+g==
ipfire.org. 48822 IN NS ns2.lightningwirelabs.com.
ipfire.org. 48822 IN NS ns3.lightningwirelabs.com.
ipfire.org. 48822 IN NS ns1.lightningwirelabs.com.
ipfire.org. 48822 IN RRSIG NS 8 2 86400 20150507000000 20150416000000 38274 ipfire.org. LtEwh5KQuMZOM9aQphrCiSJA7R6Ubv+A7ip+7S+NwfOLRC+Eao5I/MGw AXprSNvFglwKYyj/8hmAHkByRcniXceu5e9DPL8GZnRrJEaNmPyNgv+j bSIS4jD4FSrhS6LPQzAVg6XA5r9B1y9SDPiqgDm+e3fkD8zg+ZmJuY2x XYw9JeV1c4pZVCjS6jflkZ/9LcZrNGjcDuNZxQCSFu3wD/fmxbJXfKZN e4zO8XE18Ul1c7ifGLLRM45MyedQK/Gz47KXCkC0zkVtmRPybQN9lT+1 NKRQJFNc8U6+Hb90eQSjudsrXK0V2Z7McO5OMOe305loKWhvW8KMkc/b KIKnEw==
ipfire.org. 2310 IN SOA ns1.lightningwirelabs.com. hostmaster.ipfire.org. 1430190033 10800 1800 604800 300
ipfire.org. 2310 IN RRSIG SOA 8 2 3600 20150507000000 20150416000000 38274 ipfire.org. C8pSowvYXE3sngaZrOaevrbMtx3f3hKKkgRW51gebWBokxF7+5UuXclb 9pZm16ArrMeMIQhR0d14Wamn0yhsrIo8eqgPbjTdn9VzNZnpXXcsxAXu QJ4+vPGP92EfgDocqid7/9jKeJWtNZbgHJUfOwsEtYgS+gdP3L77k+gW EAypTHtJqiE65sFHUWXlb9kwmpr1trq5DXnVBwtiiaBhbYeZryY3MTkl MVyQEZebr/MUUQKAstgJ3l3U2Rikd5aolKecjEvC2UJ18atlWuuZFgh5 f+J8vWoWABv5FwJAXxKHvvuNUJD3ca+Q0PGOJj87Wf+SlB+MGRiDfSiX avh2qQ==
ipfire.org. 529 IN MX 10 mail01.ipfire.org.
ipfire.org. 529 IN RRSIG MX 8 2 3600 20150507000000 20150416000000 38274 ipfire.org. UpsMIw7DF7810q1r7w81d2+Mfe6728iNX46WP8AZDhbI7vjyY41y33zD rY4hDbBRfaZBCycrBKYmLj38FlXbFsxKGI+KMtAkhnEv4H3q7RjBo77u u1BLEd5Tql5oVfCaLlgvoqnATiDOr8Hh/C6R3ukSItC+cLeVY6cmBeE5 cvh6afqiPXhf9JLrEBpl3maxkx+307XThYW6u7ZE73k2xkNZbKb8ePrK vcND4KQlbAvGgTgOstK+wIUn2yn1oHtjWiHIXJXG6iFPXIpjMFLIYH0u /HrKhtxT397H/3dR6HXJ0zIGD+Pt82HUjPblA+B3O05FzhXFMccydG6m ffJh9Q==
ipfire.org. 2218 IN NAPTR 30 0 "s" "SIP+D2T" "" _sip._tcp.ipfire.org.
ipfire.org. 2218 IN NAPTR 10 0 "s" "SIPS+D2T" "" _sips._tcp.ipfire.org.
ipfire.org. 2218 IN NAPTR 20 0 "s" "SIP+D2U" "" _sip._udp.ipfire.org.
ipfire.org. 2218 IN RRSIG NAPTR 8 2 3600 20150507000000 20150416000000 38274 ipfire.org. rAPEpDgizACsrPwCQquMc+lJgm0pcpYxmDMlUUBIZLLDncVyYT4rTkQf Ch7sBusMbS55gx3CKb0diubVHRHrYG35m6iyMAkhoLlL4QgBl9W6Mm/5 cky6cKNTH7DZYcapoM0gdZ16BwmkLzaf3YbxsKnkj9WKPOTZ3gDiJUrT H+K+F8n9yB3YTZh2UiF6rkCzh70gyvgE7GtDWmo8NuU06hv96V0vFzaO 0dshzkEeGlxO895CIBN9n3VmTJGkje3aPrfQO9AQAQtvANizpGlDYX5d k4r0xdTUf9JxHpovOSwgHHW8H6OGv4GlGDeEekvpH47gsRhxvPI+B1dl 64BsFA==
ipfire.org. 175 IN DNSKEY 257 3 8 AwEAAaR10OZmKeoNxl4ncrBPg6FSAIfa8w80WjSz3dBmxKb4jdjno/Ux 6PaxoCbiA2AJ9EaVeB1R80MQpv5dbFDGn0EHHwLnuWJOpoqC4t2uGvbt OA8i8rPaCf4+gLJyUEsndPe56jXDB962B63aoj7B+Vxot2CWgtZrp+3l bueiQzgvscMUqVmwW5oQs6qTlR+Ml3sD15SEn22zoHRD6VKo71jWUqeF plbInDnSE0v+e9hl4e8SCwiHkmZ6XWnMddOHbRdtZN6T/zXgqc1dFha8 XjVovROASTipPq7XNyfDeMsnY7WFGS/wBsw3Ek8NZfVmfmykPrZja7eJ xaRxmbip+/s=
ipfire.org. 175 IN DNSKEY 256 3 8 AwEAAa5gMm2ujJ+ptGn/sGpWIGNJdcMd/F1Fi9oW1b/hjVyBuUtqKF7X yHeGxu70TkIW8ehqaRcLglI5MX6lPcBBVI69f1Oxc8CwbvL2Wf6NIzTZ cR/ooCgdWJA93UwoL7/IRn9+1G7LA+R7KS2BLxt0U6zn+8lhliMStg9d QhjLF9txECtqz2G5GAAXiUMSeVALtzOC/kVk2FgIcFWgkroQy8QQSUBA wkkbNHzGpLeTzMNB9KFfOZvDDwmyNN0v21YpaHkQ+z14U97cK7I1j28w hZ+nH8H/DWER34wj4jqLxNKU9RMzdkj7ac1OitIjhB+p3mhXLDtNyGTA symGY09zD/c=
ipfire.org. 175 IN RRSIG DNSKEY 8 2 300 20150507000000 20150416000000 54142 ipfire.org. Vemwsm1CWRG3vyooc3djrspfaOMaYhBS9LNg8kIvS3yscMc39RY9dPik 8AKjWr39SyNGWWcyAO79MAzFHFd0ZjCxvJkzmKRv9sqQgrMNAWQ20FB6 2n5AxZbz90BrSLsXnh0tfvMK/Ex8qSCqA10+4D06JD6cBQ+vl6ndCCDU c9yzrJ4pUNXUTpsYH4VlhEjrcw1VgoS/gF7rQwhA56J+RDnvbb9/sUiD 11mrZ1K+qCKEUfs8hoY6kUc/2/pkabK+n3QzmAX6cCBeOsEyxFJ2tlOQ xjZrKp9xh2BxqnRuDVs3IYdlVhA0T60s+tXIev/lGCivKugB/F1fniae vN3Z0A==
ipfire.org. 271 IN NSEC3PARAM 1 0 1 9BFD
ipfire.org. 271 IN RRSIG NSEC3PARAM 8 2 300 20150507000000 20150416000000 38274 ipfire.org. G9FvcJBYLIu4RTgkp1mQXkS1pw4S9YgtgIxeIFcMLtRgkjEyYwYLrEUD aRjdrSLNVx9Wfi3lz+vNLratHzTG3Qa+qfWwsffl5jwNIgbEq9mD6tzR hbgy5cJ+TzQ4NgLQ1jzkDzGmolSMkd06LhK3CkwqpUBsxixySoPtvSfD OflIm7Y0YBeE3OcCVzGGwU1OcCemK+57FL4HGOuNVd/YUyvawLtm02MU A30/up0OcBW+3ENlw8dF2E5UdzIrSuRqPd2BYg+LrW1rKgNQd32ewKGF 4qtyyQA6WoqchokFnyMIIW3KaC6w5toD3imGpsWgBuSXus6r8kc/bDtP 0hQGxg==
ipfire.org. 2310 IN SPF "v=spf1 mx mx:tx-team.de -all"
ipfire.org. 2310 IN RRSIG SPF 8 2 3600 20150507000000 20150416000000 38274 ipfire.org. Ky7sCewWYtekiI+mxy2wXOVgwePDa2KZJhS4Gi3n3esm056VwJj6Lztw bMCtND+jhL9HQv8pByWc1U/4XeBLH90RTbI0I6ZPnEpxU/H3925TOJl7 xUtEStWTUlsSFKvpxvajwvmw0BMbbw9ZYlSR6yMOUNgjCpO3haMtpFit FEOOybEqD6WMP/u7NC5DOH9xiJDeSVQPaN9KiYHVG5AcvtPy+zcgfyys YL7O1SvCzOitQpmaas/dtuJAsB57My9FlnlgrzDodV+UzqoOzFk+Ye+T tvvwjnBrjWaOiiX6ZnfK7VpvHlbKpKLjgcTSdoue0DYBW/mfQbuGXKOx J6gczw==
;; ADDITIONAL SECTION:
mail01.ipfire.org. 3428 IN A 178.63.73.247
mail01.ipfire.org. 3428 IN AAAA 2001:470:7183:25::1
;; Query time: 20 msec
;; SERVER: 178.63.73.246#53(178.63.73.246)
;; WHEN: Tue Apr 28 13:49:20 CEST 2015
;; MSG SIZE rcvd: 3389
+ dig forum.ipfire.org
; <<>> DiG 9.9.6-P1-RedHat-9.9.6-8.P1.fc21 <<>> forum.ipfire.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8057
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;forum.ipfire.org. IN A
;; ANSWER SECTION:
forum.ipfire.org. 703 IN CNAME web01.ipfire.org.
web01.ipfire.org. 3006 IN A 178.63.73.246
;; Query time: 0 msec
;; SERVER: 192.168.180.1#53(192.168.180.1)
;; WHEN: Tue Apr 28 13:49:20 CEST 2015
;; MSG SIZE rcvd: 91
On Wed, 2015-04-22 at 22:02 +0100, Simon Kelley wrote:
> On 21/04/15 21:51, Alon Bar-Lev wrote:
> > On 21 April 2015 at 21:41, Simon Kelley <simon at thekelleys.org.uk>
> > wrote:
> >
> > Thanks for the report. I just tested 2.72 and the current code in
> > git, and both worked fine, using Google public DNS (8.8.8.8) as
> > upstream.
> >
> >
> >> I can confirm that using 8.8.8.8 it is working correctly.
> >
> >
> > What do you know about the upstream server you're forwarding to?
> > Is there a possibility that it's "fiddling" with the data it
> > supplies?
> >
> >
> >> it may be, how can I check that? what do you need?
>
>
> Start with the results of
>
> dig @192.168.1.1 +dnssec 546330.bugs.gentoo.org
>
> please.
>
> Cheers,
>
>
> Simon.
>
> >
> >
> > Cheers,
> >
> > Simon.
> >
> >
> > On 21/04/15 18:55, Alon Bar-Lev wrote:
> >>>> Hi,
> >>>>
> >>>> When using bugs.gentoo.org with dnsmasq-2.72 and dnssec
> >>>> enabled, I cannot access attachments.
> >>>>
> >>>> The attachments are forwarded to a CNAME, for example: ---
> >>>> 546330.bugs.gentoo.org. 60 IN CNAME
> >>>> bugs-gossamer.gentoo.org. bugs-gossamer.gentoo.org. 300 IN
> >>>> CNAME gannet.gentoo.org. gannet.gentoo.org. 604800
> >>>> IN A 204.187.15.4 ---
> >>>>
> >>>> When trying to access without dnssec all is ok: --- Apr 21
> >>>> 20:19:04 [dnsmasq] query[A] 546330.bugs.gentoo.org from
> >>>> 127.0.0.1 Apr 21 20:19:04 [dnsmasq] forwarded
> >>>> 546330.bugs.gentoo.org to 192.168.1.1 Apr 21 20:19:04
> >>>> [dnsmasq] validation result is INSECURE Apr
> >>>> 21546330.bugs.gentoo.org. 20:19:04 [dnsmasq] reply
> >>>> 546330.bugs.gentoo.org is <CNAME> Apr 21 20:19:04 [dnsmasq]
> >>>> reply bugs-gossamer.gentoo.org is <CNAME> Apr 21 20:19:04
> >>>> [dnsmasq] reply gannet.gentoo.org is 204.187.15.4 ---
> >>>>
> >>>> When trying to access with dnssec, notice the "validation
> >>>> result is BOGUS", no result is returned: --- Apr 21 20:09:33
> >>>> [dnsmasq] query[A] 546330.bugs.gentoo.org from 127.0.0.1 Apr
> >>>> 21 20:09:33 [dnsmasq] forwarded 546330.bugs.gentoo.org to
> >>>> 10.38.5.26 Apr 21 20:09:33 [dnsmasq] dnssec-query[DNSKEY]
> >>>> gentoo.org to 10.38.5.26 Apr 21 20:09:33 [dnsmasq]
> >>>> dnssec-query[DS] gentoo.org to 10.38.5.26 Apr 21 20:09:33
> >>>> [dnsmasq] dnssec-query[DNSKEY] 8.8org to 10.38.5.26 Apr 21
> >>>> 20:09:33 [dnsmasq] dnssec-query[DS] org to 10.38.5.26 Apr 21
> >>>> 20:09:33 [dnsmasq] dnssec-query[DNSKEY] . to 10.38.5.26 Apr
> >>>> 21 20:09:33 [dnsmasq] reply . is DNSKEY keytag 19036 Apr 21
> >>>> 20:09:33 [dnsmasq] reply . is DNSKEY keytag 48613 Apr 21
> >>>> 20:09:33 [dnsmasq] reply org is DS keytag 21366 - Last
> >>>> output repeated twice - Apr 21 20:09:33 [dnsmasq] reply org
> >>>> is DNSKEY keytag 3213 Apr 21 20:09:33 [dnsmasq] reply org is
> >>>> DNSKEY keytag 21366 Apr 21 20:09:33 [dnsmasq] reply org is
> >>>> DNSKEY keytag 9795 Apr 21 20:09:33 [dnsmasq] reply org is
> >>>> DNSKEY keytag 34023 Apr 21 20:09:33 [dnsmasq] reply
> >>>> gentoo.org is DS keytag 46873 - Last output repeated twice -
> >>>> Apr 21 20:09:33 [dnsmasq] reply gentoo.org is DNSKEY keytag
> >>>> 52980 Apr 21 20:09:33 [dnsmasq] reply gentoo.org is DNSKEY
> >>>> keytag 46873 Apr 21 20:09:33 [dnsmasq] validation result is
> >>>> BOGUS Apr 21 20:09:33 [dnsmasq] reply 546330.bugs.gentoo.org
> >>>> is <CNAME> Apr 21 20:09:33 [dnsmasq] reply
> >>>> bugs-gossamer.gentoo.org is <CNAME> Apr 21 20:09:33 [dnsmasq]
> >>>> reply gannet.gentoo.org is 204.187.15.4 ---
> >>>>
> >>>> Maybe it is local issue of the dns I am using (I have no
> >>>> access to it), but maybe there is a issue at dnsmasq.
> >>>>
> >>>> Peer reported that local unbound is working properly.
> >>>>
> >>>> Regards, Alon Bar-Lev.
> >>>>
> >>>> _______________________________________________
> >>>> Dnsmasq-discuss mailing list
> >>>> Dnsmasq-discuss at lists.thekelleys.org.uk
> >>>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> >>>>
> >>
> >>
> >>>>
> _______________________________________________
> >> Dnsmasq-discuss mailing list
> >> Dnsmasq-discuss at lists.thekelleys.org.uk
> >> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> >
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dnsmasq.pcap
Type: application/vnd.tcpdump.pcap
Size: 14611 bytes
Desc: not available
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20150428/5083c44e/attachment-0001.pcap>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20150428/5083c44e/attachment-0001.sig>
More information about the Dnsmasq-discuss
mailing list