[Dnsmasq-discuss] DNSSEC failure with v2.73rc10
Simon Kelley
simon at thekelleys.org.uk
Fri Jun 12 21:40:22 BST 2015
Thanks Toke, finding these failure cases and fixing them, one at a time,
is very necessary, but somewhat gruelling.
In this case, database.srku.dk. is a CNAME for
database.studenterraad.dk. and that's a CNAME for web21.sd.eurovps.com.
The two CNAME domains are signed, but the eurovps.com isnt.
Hence the result of the A query is not validatable, and check-unsigned
has to prove that's OK, by showing that there's a secure denial of a DS
record covering the query
A query for the DS records of .dk and .srku.dk give DS records,
database.srku.dk. gives
;; QUESTION SECTION:
;database.srku.dk. IN DS
;; ANSWER SECTION:
database.srku.dk. 21599 IN CNAME database.studenterraad.dk.
database.srku.dk. 21599 IN RRSIG CNAME 5 3 43200 20150706020221
20150606020221 37065 srku.dk.
edqGhVL0fNgBerYXlo8X2dV00DJ5c7cw31IT5zhAx0SMK7VXUw9/WwMg
ltYJnn0Xbo8uLr73KB1758PBpMQ0Jg==
database.studenterraad.dk. 21599 IN CNAME web21.sd.eurovps.com.
database.studenterraad.dk. 21599 IN RRSIG CNAME 5 3 43200 20150711144201
20150611144201 36045 studenterraad.dk.
czsVXeiOz5ZzMe830RUeMc6lT+ZsFDn6HzttyxvR2IXxeD3W4965JzA2
aTYWuW/Y3/W/7AHfC9vd6L0yi4HlBw==
;; AUTHORITY SECTION:
eurovps.com. 59 IN SOA ns2.eurovps.com. supervisor.eurovps.com.
2015060400 14400 7200 604800 1800
So, signed proof that the DS should be in eurovps.com. Finally, a query
for DS eurovps.com. gives
;; QUESTION SECTION:
;eurovps.com. IN DS
;; AUTHORITY SECTION:
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 21599 IN NSEC3 1 1 0 -
CK0QFMDQRCSRU0651QLVA1JQB21IF7UR NS SOA RRSIG DNSKEY NSEC3PARAM
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 21599 IN RRSIG NSEC3 8 2 86400
20150617050222 20150610035222 33878 com.
BmRR63rU6MqGAP9OAIhSPYjyM6iA1luC5NmUC3+GVlu2al8QbB2e5qAj
cVZnVsV3+GmRY0XPm1p2dEwW1tlMai2zU0Z+bo8EnMK7l95riZ/CRrQz
/btectiRyve7gL1jYgUrprivGuA5lHHCaHDufqcphbqOBQc2vGgf5b0Q msM=
com. 899 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1434140903
1800 900 604800 86400
com. 899 IN RRSIG SOA 8 1 900 20150619202823 20150612191823 33878 com.
MkHrPzyePiZPSJ+L6ikL6mgyJIncZCj2J6I6iP3MPU2K1u6L3zaERQjM
WYMD3mozBp23MsWJ6B4Y2MAAFa48Cox744ZaL/tu/Gi07FeDNEV5qlIJ
VS3bgocZ3ZBRQyIY+NkxsmXBuzLB3dnbDKKewTkW8uOqcVlcePxuoeJ6 UdU=
1KHVDCFLLCJPF012Q9NBF47HKCHQJ9O3.com. 21599 IN NSEC3 1 1 0 -
1KI1CILTVQVH1Q1MTU3R9OCHA1FLB28R NS DS RRSIG
1KHVDCFLLCJPF012Q9NBF47HKCHQJ9O3.com. 21599 IN RRSIG NSEC3 8 2 86400
20150618042727 20150611031727 33878 com.
q8FFRw2b/pE/6n2S1GwetYD+NXzOA7BS0LeKDblxlgOwx7G6yl9u0euE
FH93Q0aw36nUjGp9YRRu6ZjriJHQR6a5wawYvOBe74IZQhJ8XBwkhQ76
GbEDQB8Tv6p43seg8nnbhmJp61/OLa5CM0t1pQ9yUvhkquaPXv8vvIs+ e7M=
Proof that there's no DS, so the original, unvalidatable answer can stand.
The code got lost somewhere in the CNAMES when trying to prove
non-existence of the DS. I've just checked in a fix, and it behaves now.
Cheers,
Simon.
dnsmasq: query[A] database.srku.dk from 127.0.0.1
dnsmasq: forwarded database.srku.dk to 8.8.8.8
dnsmasq: dnssec-query[DNSKEY] srku.dk to 8.8.8.8
dnsmasq: dnssec-query[DS] srku.dk to 8.8.8.8
dnsmasq: dnssec-query[DNSKEY] dk to 8.8.8.8
dnsmasq: dnssec-query[DS] dk to 8.8.8.8
dnsmasq: dnssec-query[DNSKEY] . to 8.8.8.8
dnsmasq: reply . is DNSKEY keytag 48613
dnsmasq: reply . is DNSKEY keytag 19036
dnsmasq: reply dk is DS keytag 61294
dnsmasq: reply dk is DNSKEY keytag 40794
dnsmasq: reply dk is DNSKEY keytag 61294
dnsmasq: reply dk is DNSKEY keytag 1804
dnsmasq: reply dk is DNSKEY keytag 52689
dnsmasq: reply srku.dk is DS keytag 2083
dnsmasq: reply srku.dk is DNSKEY keytag 37065
dnsmasq: reply srku.dk is DNSKEY keytag 2083
dnsmasq: dnssec-query[DNSKEY] studenterraad.dk to 8.8.8.8
dnsmasq: dnssec-query[DS] studenterraad.dk to 8.8.8.8
dnsmasq: reply studenterraad.dk is DS keytag 12253
dnsmasq: reply studenterraad.dk is DNSKEY keytag 36045
dnsmasq: reply studenterraad.dk is DNSKEY keytag 12253
dnsmasq: dnssec-query[DS] database.studenterraad.dk to 8.8.8.8
dnsmasq: dnssec-query[DS] com to 8.8.8.8
dnsmasq: reply com is DS keytag 30909
dnsmasq: dnssec-query[DS] eurovps.com to 8.8.8.8
dnsmasq: dnssec-query[DNSKEY] com to 8.8.8.8
dnsmasq: reply com is DNSKEY keytag 33878
dnsmasq: reply com is DNSKEY keytag 30909
dnsmasq: reply eurovps.com is no DS
dnsmasq: validation result is INSECURE
dnsmasq: reply database.srku.dk is <CNAME>
dnsmasq: reply database.studenterraad.dk is <CNAME>
dnsmasq: reply web21.sd.eurovps.com is 77.235.54.116
On 11/06/15 17:03, Toke Høiland-Jørgensen wrote:
> So I'm getting getting DNSSEC failures when trying to lookup the domain
> 'database.srku.dk'.
>
> 'dnssec' and 'dnssec-check-unsigned' are both enabled in the dnsmasq config.
>
> The relevant dnsmasq log with log-queries enabled:
>
> Jun 11 17:56:35 gauss dnsmasq[29455]: query[A] database.srku.dk from 10.42.8.5
> Jun 11 17:56:35 gauss dnsmasq[29455]: forwarded database.srku.dk to ::1
> Jun 11 17:56:35 gauss dnsmasq[29455]: dnssec-query[DNSKEY] srku.dk to ::1
> Jun 11 17:56:35 gauss dnsmasq[29455]: dnssec-query[DS] srku.dk to ::1
> Jun 11 17:56:35 gauss dnsmasq[29455]: reply srku.dk is DS keytag 2083
> Jun 11 17:56:35 gauss dnsmasq[29455]: reply srku.dk is DNSKEY keytag 37065
> Jun 11 17:56:35 gauss dnsmasq[29455]: reply srku.dk is DNSKEY keytag 2083
> Jun 11 17:56:35 gauss dnsmasq[29455]: dnssec-query[DNSKEY] studenterraad.dk to ::1
> Jun 11 17:56:35 gauss dnsmasq[29455]: dnssec-query[DS] studenterraad.dk to ::1
> Jun 11 17:56:35 gauss dnsmasq[29455]: reply studenterraad.dk is DS keytag 12253
> Jun 11 17:56:35 gauss dnsmasq[29455]: reply studenterraad.dk is DNSKEY keytag 12253
> Jun 11 17:56:35 gauss dnsmasq[29455]: reply studenterraad.dk is DNSKEY keytag 36045
> Jun 11 17:56:35 gauss dnsmasq[29455]: dnssec-query[DS] database.studenterraad.dk to ::1
> Jun 11 17:56:35 gauss dnsmasq[29455]: reply database.studenterraad.dk is BOGUS DS
> Jun 11 17:56:35 gauss dnsmasq[29455]: validation database.srku.dk is BOGUS
> Jun 11 17:56:35 gauss dnsmasq[29455]: reply database.srku.dk is <CNAME>
> Jun 11 17:56:35 gauss dnsmasq[29455]: reply database.studenterraad.dk is <CNAME>
> Jun 11 17:56:35 gauss dnsmasq[29455]: reply web21.sd.eurovps.com is 77.235.54.116
>
> Trying the query with dig seems to work:
>
> $ dig +trace +dnssec database.studenterraad.dk @8.8.8.8
>
> ; <<>> DiG 9.9.2-P2 <<>> +trace +dnssec database.studenterraad.dk @8.8.8.8
> ;; global options: +cmd
> . 3175 IN NS l.root-servers.net.
> . 3175 IN NS j.root-servers.net.
> . 3175 IN NS c.root-servers.net.
> . 3175 IN NS f.root-servers.net.
> . 3175 IN NS g.root-servers.net.
> . 3175 IN NS b.root-servers.net.
> . 3175 IN NS k.root-servers.net.
> . 3175 IN NS d.root-servers.net.
> . 3175 IN NS i.root-servers.net.
> . 3175 IN NS a.root-servers.net.
> . 3175 IN NS e.root-servers.net.
> . 3175 IN NS m.root-servers.net.
> . 3175 IN NS h.root-servers.net.
> . 3175 IN RRSIG NS 8 0 518400 20150620170000 20150610160000 48613 . AVDPr19HNLu7NCcaE0NEJA++XTWfAzXdPe6x0uPW7ejcE62PAUl/MfEo FGM6+ogRDYFT0X0qpMhLhaUNtsqJ3drCZfRnlt7yZk7uS6QWXokqDE7j A6iyVF1C148QV5cEndaGpv2L6yS16zF3JUSJBhCtflrnjvrYNUQb27Iy WO4=
> ;; Received 397 bytes from 8.8.8.8#53(8.8.8.8) in 21 ms
>
> dk. 172800 IN NS b.nic.dk.
> dk. 172800 IN NS a.nic.dk.
> dk. 172800 IN NS l.nic.dk.
> dk. 172800 IN NS c.nic.dk.
> dk. 172800 IN NS s.nic.dk.
> dk. 172800 IN NS p.nic.dk.
> dk. 86400 IN DS 61294 8 2 7512ABC9F08F74085D4AEC9E7CC6DC402A689F146F9AAFDAE11FCE5D 3ADCA25E
> dk. 86400 IN RRSIG DS 8 1 86400 20150621050000 20150611040000 48613 . MdgBbP0CuPMGNATQrtCEetXyGNzpAyxOPHWgwRUynnAhDcE62A+V10KD YWzADm9HynztDvJXUOehr3sNU5GGKKpUMlI81x3qo8UliNH6MBfBNoaN kaKOjeCt4+KH13CsbII5If1a5knH1NqdXIr7YASsYpf4c8nMLlfcsHZP Hf8=
> ;; Received 569 bytes from 192.228.79.201#53(192.228.79.201) in 190 ms
>
> studenterraad.dk. 86400 IN NS ns2.gratisdns.dk.
> studenterraad.dk. 86400 IN NS ns4.gratisdns.dk.
> studenterraad.dk. 86400 IN NS ns5.gratisdns.dk.
> studenterraad.dk. 86400 IN NS ns1.gratisdns.dk.
> studenterraad.dk. 86400 IN NS ns3.gratisdns.dk.
> studenterraad.dk. 7200 IN DS 12253 5 1 225802A8082D4C8E6FA9F494DDB3A2689809FA7D
> studenterraad.dk. 7200 IN RRSIG DS 8 2 7200 20150708024337 20150610020313 1804 dk. v1N9I/nBESCEQ7Sakcz+eriU4uWF41DUGq9pubjcsYe8n6THEdfWp4ds PKLp1MSV9RalAyspdjxp84He9QloRx0KIkgCy3EZX6RlrdK8miyzzyo7 7uNa5vzaJBNILz2V64H8dLqlk9fx3TBwQeAS6msZRdT4fV/VEs3STVMb xXVLj37+KgoehwtldZ3SgAr7fTJQYuGESsCH5YDwiCtU30h/Cen8SZFH YGW8BYazgBgG+fneRRluuPwHPrZBIpggq+Ump80uJWXLhduPEJ3gj8o4 5jtKAbvDrlpo8Ai/kmcyFJdRgDzGIJzRpl5KFjdlhkX2BnqoaYG08PZT vIt6AA==
> ;; Received 672 bytes from 2001:678:78:42:ad::53#53(2001:678:78:42:ad::53) in 36 ms
>
> database.studenterraad.dk. 43200 IN CNAME web21.sd.eurovps.com.
> database.studenterraad.dk. 43200 IN RRSIG CNAME 5 3 43200 20150711144201 20150611144201 36045 studenterraad.dk. czsVXeiOz5ZzMe830RUeMc6lT+ZsFDn6HzttyxvR2IXxeD3W4965JzA2 aTYWuW/Y3/W/7AHfC9vd6L0yi4HlBw==
> ;; Received 200 bytes from 2a02:9d0:3002:1::2#53(2a02:9d0:3002:1::2) in 14 ms
>
>
>
>
> Is this a dnsmasq bug or is something else wrong? I can't seem to
> resolve anything in the studenterraad.dk zone through dnsmasq.
>
> -Toke
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
More information about the Dnsmasq-discuss
mailing list