[Dnsmasq-discuss] dnssec-check-unsigned failure with v2.73rc9

Simon Kelley simon at thekelleys.org.uk
Fri Jun 12 21:18:13 BST 2015


On 12/06/15 12:16, Maciej Soltysiak wrote:
> I think I have discovered what the problem is and it's unlikely to be
> dnsmasq.
> 
> What I do is that I have a setup which is basically a split horizon:
> - users who are not on the service get A record for using.dnscrypt from a
> DNSSEC signed zone
> - users who are on the service get *a different* A record for
> using.dnscrypt.pl from unbound, without sigs!
> 
> A user on my service, who has dnssec-check-unsigned enabled gets an
> unsigned response from a signed zone and the intended reaction of dnsmasq
> kicks in.
> 
> Not a bug then. Is my understanding correct?

Without doing an exhaustive analysis (I've done too many DNSSEC
post-mortems recently) that seems to a reasonable explanation.
Certainly, using.dnscrypt.pl validates fine here.


dnsmasq: query[A] using.dnscrypt.pl from 127.0.0.1
dnsmasq: forwarded using.dnscrypt.pl to 8.8.8.8
dnsmasq: dnssec-query[DNSKEY] dnscrypt.pl to 8.8.8.8
dnsmasq: dnssec-query[DS] dnscrypt.pl to 8.8.8.8
dnsmasq: dnssec-query[DNSKEY] pl to 8.8.8.8
dnsmasq: dnssec-query[DS] pl to 8.8.8.8
dnsmasq: dnssec-query[DNSKEY] . to 8.8.8.8
dnsmasq: reply . is DNSKEY keytag 48613
dnsmasq: reply . is DNSKEY keytag 19036
dnsmasq: reply pl is DS keytag 52250
dnsmasq: reply pl is DS keytag 52250
dnsmasq: reply pl is DNSKEY keytag 61416
dnsmasq: reply pl is DNSKEY keytag 6418
dnsmasq: reply pl is DNSKEY keytag 14899
dnsmasq: reply pl is DNSKEY keytag 52250
dnsmasq: reply dnscrypt.pl is DS keytag 65416
dnsmasq: reply dnscrypt.pl is DS keytag 65416
dnsmasq: reply dnscrypt.pl is DNSKEY keytag 65416
dnsmasq: reply dnscrypt.pl is DNSKEY keytag 3668
dnsmasq: reply dnscrypt.pl is DNSKEY keytag 43164
dnsmasq: reply dnscrypt.pl is DNSKEY keytag 64611
dnsmasq: validation result is SECURE
dnsmasq: reply using.dnscrypt.pl is <CNAME>
dnsmasq: reply not-using.dnscrypt.pl is 188.226.192.48

Cheers,

Simon.


> 
> Best regards,
> Maciej
> 
> On Fri, Jun 12, 2015 at 10:19 AM, Maciej Soltysiak <maciej at soltysiak.com>
> wrote:
> 
>> Hi,
>>
>> One of my users raised an issue that using.dnscrypt.pl does not resolve
>> when dnssec-check-unsigned is turned on.
>> I replicated the issue with most recent openwrt Chaos Calmer package:
>> dnsmasq-full.
>>
>> When dnssec and trust anhcor are set and dnssec-check-unsigned is as well,
>> dnsmasq says BOGUS DS:
>> Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: query[A]
>> using.dnscrypt.pl from fdea:7beb:d9e3:0:d928:e795:8461:1896
>> Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: forwarded
>> using.dnscrypt.pl to 127.0.0.1
>> Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: dnssec-query[DS]
>> using.dnscrypt.pl to 127.0.0.1
>> Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: reply
>> using.dnscrypt.pl is BOGUS DS
>> Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: validation
>> using.dnscrypt.pl is BOGUS
>> Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: reply
>> using.dnscrypt.pl is 178.62.233.48
>> Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: query[A]
>> using.dnscrypt.pl from 192.168.1.206
>> Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: forwarded
>> using.dnscrypt.pl to 127.0.0.1
>> Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: query[A]
>> using.dnscrypt.pl from fdea:7beb:d9e3:0:d928:e795:8461:1896
>> Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: forwarded
>> using.dnscrypt.pl to 127.0.0.1
>> Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: dnssec-query[DS]
>> using.dnscrypt.pl to 127.0.0.1
>> Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: dnssec-query[DS]
>> using.dnscrypt.pl to 127.0.0.1
>> Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: reply
>> using.dnscrypt.pl is BOGUS DS
>> Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: validation
>> using.dnscrypt.pl is BOGUS
>> Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: reply
>> using.dnscrypt.pl is 178.62.233.48using.dnscrypt.pl
>> Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: reply
>> using.dnscrypt.pl is BOGUS DS
>> Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: validation
>> using.dnscrypt.pl is BOGUS
>> Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: reply
>> using.dnscrypt.pl is 178.62.233.48
>>
>> Verisign dnssec check are ok:
>> http://dnssec-debugger.verisignlabs.com/using.dnscrypt.pl
>>
>> Oddly, dnscrypt.pl resolves fine. It also works fine if
>> dnssec-check-unsigned is turned off.
>>
>> Not sure if rc10 fixes it, it's not in openwrt repo yet.
>> Any ideas?
>>
>> Best regards,
>> Maciej Soltysiak
>> DNSCrypt Poland
>> https://dnscrypt.pl
>>
>>
>>
> 
> 
> 
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> 




More information about the Dnsmasq-discuss mailing list