[Dnsmasq-discuss] dnssec-check-unsigned breaks linux.conf.au
Karl-Johan Karlsson
creideiki+dnsmasq-discuss at ferretporn.se
Sat Jun 6 09:58:53 BST 2015
Hello,
When dnssec-check-unsigned is set, dnsmasq (2.72 and 2.73rc8) returns SERVFAIL
for queries for linux.conf.au, claiming a "BOGUS DS":
Jun 06 10:15:24 [dnsmasq] query[ANY] linux.conf.au from 192.168.3.138
Jun 06 10:15:24 [dnsmasq] forwarded linux.conf.au to 127.0.0.1
Jun 06 10:15:24 [dnsmasq] forwarded linux.conf.au to ::1
Jun 06 10:15:24 [dnsmasq] dnssec-query[DS] au to 127.0.0.1
Jun 06 10:15:24 [dnsmasq] dnssec-query[DNSKEY] . to 127.0.0.1
Jun 06 10:15:24 [dnsmasq] reply . is DNSKEY keytag 19036
Jun 06 10:15:24 [dnsmasq] reply . is DNSKEY keytag 48613
Jun 06 10:15:24 [dnsmasq] reply au is DS keytag 37976
- Last output repeated twice -
Jun 06 10:15:24 [dnsmasq] dnssec-query[DS] conf.au to 127.0.0.1
Jun 06 10:15:24 [dnsmasq] dnssec-query[DNSKEY] au to 127.0.0.1
Jun 06 10:15:24 [dnsmasq] reply au is DNSKEY keytag 37976
Jun 06 10:15:24 [dnsmasq] reply au is DNSKEY keytag 38218
Jun 06 10:15:24 [dnsmasq] reply conf.au is DS keytag 47617
- Last output repeated twice -
Jun 06 10:15:24 [dnsmasq] dnssec-query[DS] linux.conf.au to 127.0.0.1
Jun 06 10:15:24 [dnsmasq] dnssec-query[DNSKEY] conf.au to 127.0.0.1
Jun 06 10:15:24 [dnsmasq] reply conf.au is DNSKEY keytag 62005
Jun 06 10:15:24 [dnsmasq] reply conf.au is DNSKEY keytag 14643
Jun 06 10:15:24 [dnsmasq] reply conf.au is DNSKEY keytag 53538
Jun 06 10:15:24 [dnsmasq] reply conf.au is DNSKEY keytag 47617
Jun 06 10:15:24 [dnsmasq] reply linux.conf.au is BOGUS DS
Jun 06 10:15:24 [dnsmasq] validation linux.conf.au is BOGUS
When dnssec-check-unsigned is not set, it's correctly regarded as unsigned:
Jun 06 10:15:10 [dnsmasq] query[ANY] linux.conf.au from 192.168.3.138
Jun 06 10:15:10 [dnsmasq] forwarded linux.conf.au to 127.0.0.1
Jun 06 10:15:10 [dnsmasq] validation result is INSECURE
I'm not really sure who to blame here; linux.conf.au is the only domain I've
seen this error for, but other resolvers (e.g. the Unbound which serves as
upstream for my Dnsmasq) resolve it just fine. Dnsmasq with and without
dnssec-check-unsigned, and Unbound, correctly reject dnssec-failed.org.
<URL:http://dnssec-debugger.verisignlabs.com/linux.conf.au> sees nothing
strange about linux.conf.au either.
--
Karl-Johan Karlsson
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20150606/7a1f9cde/attachment.sig>
More information about the Dnsmasq-discuss
mailing list