[Dnsmasq-discuss] dnssec-check-unsigned breaks linux.conf.au

Simon Kelley simon at thekelleys.org.uk
Sat Jun 6 23:16:42 BST 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Turns out that this domain has a "weird" by valid use of NSEC3 which
broke dnsmasq's corner-case code.

2.73rc9 should fix it.


Cheers,

Simon.


On 06/06/15 09:58, Karl-Johan Karlsson wrote:
> Hello,
> 
> When dnssec-check-unsigned is set, dnsmasq (2.72 and 2.73rc8)
> returns SERVFAIL for queries for linux.conf.au, claiming a "BOGUS
> DS":
> 
> Jun 06 10:15:24 [dnsmasq] query[ANY] linux.conf.au from
> 192.168.3.138 Jun 06 10:15:24 [dnsmasq] forwarded linux.conf.au to
> 127.0.0.1 Jun 06 10:15:24 [dnsmasq] forwarded linux.conf.au to ::1 
> Jun 06 10:15:24 [dnsmasq] dnssec-query[DS] au to 127.0.0.1 Jun 06
> 10:15:24 [dnsmasq] dnssec-query[DNSKEY] . to 127.0.0.1 Jun 06
> 10:15:24 [dnsmasq] reply . is DNSKEY keytag 19036 Jun 06 10:15:24
> [dnsmasq] reply . is DNSKEY keytag 48613 Jun 06 10:15:24 [dnsmasq]
> reply au is DS keytag 37976 - Last output repeated twice - Jun 06
> 10:15:24 [dnsmasq] dnssec-query[DS] conf.au to 127.0.0.1 Jun 06
> 10:15:24 [dnsmasq] dnssec-query[DNSKEY] au to 127.0.0.1 Jun 06
> 10:15:24 [dnsmasq] reply au is DNSKEY keytag 37976 Jun 06 10:15:24
> [dnsmasq] reply au is DNSKEY keytag 38218 Jun 06 10:15:24 [dnsmasq]
> reply conf.au is DS keytag 47617 - Last output repeated twice - Jun
> 06 10:15:24 [dnsmasq] dnssec-query[DS] linux.conf.au to 127.0.0.1 
> Jun 06 10:15:24 [dnsmasq] dnssec-query[DNSKEY] conf.au to
> 127.0.0.1 Jun 06 10:15:24 [dnsmasq] reply conf.au is DNSKEY keytag
> 62005 Jun 06 10:15:24 [dnsmasq] reply conf.au is DNSKEY keytag
> 14643 Jun 06 10:15:24 [dnsmasq] reply conf.au is DNSKEY keytag
> 53538 Jun 06 10:15:24 [dnsmasq] reply conf.au is DNSKEY keytag
> 47617 Jun 06 10:15:24 [dnsmasq] reply linux.conf.au is BOGUS DS Jun
> 06 10:15:24 [dnsmasq] validation linux.conf.au is BOGUS
> 
> When dnssec-check-unsigned is not set, it's correctly regarded as
> unsigned:
> 
> Jun 06 10:15:10 [dnsmasq] query[ANY] linux.conf.au from
> 192.168.3.138 Jun 06 10:15:10 [dnsmasq] forwarded linux.conf.au to
> 127.0.0.1 Jun 06 10:15:10 [dnsmasq] validation result is INSECURE
> 
> I'm not really sure who to blame here; linux.conf.au is the only
> domain I've seen this error for, but other resolvers (e.g. the
> Unbound which serves as upstream for my Dnsmasq) resolve it just
> fine. Dnsmasq with and without dnssec-check-unsigned, and Unbound,
> correctly reject dnssec-failed.org. 
> <URL:http://dnssec-debugger.verisignlabs.com/linux.conf.au> sees
> nothing strange about linux.conf.au either.
> 
> 
> 
> _______________________________________________ Dnsmasq-discuss
> mailing list Dnsmasq-discuss at lists.thekelleys.org.uk 
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iQIcBAEBCAAGBQJVc3FKAAoJEBXN2mrhkTWiKQwP/iZXyW/3BBmNojx3LhVp4QKR
PnWFGayHOdd8PVZoT1pBOqoqXOck86drQOHlMsEEGbhCtcvQM2WweOlhO2uLfQCr
+ky7boO33GDPm2zI+rLChsYxzwCNs/w3PI69p8JNSRAeHeuNUc8tlKadMyXibNoo
ZcnfkZ4Pw49CSVXDDHAprrdlfMpHddq9sD/O8d66BX4N4aDBmGIfG/ZqyZxtUeRm
uo0lJRnFDm+67EB7ROGR6+fNe2ObtCEaSNUOJ8okmjkcVyEIpoxRFAJwMkxX6xgS
SUuiIr/pypkcf01LbiW4NI8asYw5mTT3D/EGTh81HMp1GOQPukWtzzCbepCuW5/b
FdSm2auqus/b8aFIa/f7EgbzuDu4TfoP1r2WHxVOe2oG8FccNUZEhugGf0m4xzj/
+VT6eTRQwPxa4e7ijdZY5By+p/HUs5SiLmBEpzer8J3MpVzI6LE1kLVUG8jForNL
oA0LTO3cO0Ikc6TfbDgFk+m1Zpo21WwpMsoGIu8bCSTG3XysE5pJItSkZrM/7Llz
UOP4arYiR7N98CtBIxXtjX2xjtye7NZLQAU1E9CnSr25deQtj+X2kVltYedvyuF7
hQLSfj2vkgYd8gNY22qJ0bEEp3p2WbbB7b/AtK0TJUJXMiA+Q8dzWhQ23xBYEh7v
YLh7cshYsf4hF+L9Yw6a
=IN5e
-----END PGP SIGNATURE-----



More information about the Dnsmasq-discuss mailing list