[Dnsmasq-discuss] DNSSEC failure with v2.73rc10

Simon Kelley simon at thekelleys.org.uk
Fri Jun 12 21:40:22 BST 2015 

Thanks Toke, finding these failure cases and fixing them, one at a time,
is very necessary, but somewhat gruelling.

In  this case, database.srku.dk. is a CNAME for
database.studenterraad.dk. and that's a CNAME for web21.sd.eurovps.com.

The two CNAME domains are signed, but the eurovps.com isnt.

Hence the result of the A query is not validatable, and check-unsigned
has to prove that's OK, by showing that there's a secure denial of a DS
record covering the query

A query for the DS records of .dk and .srku.dk give DS records,
database.srku.dk. gives

;; QUESTION SECTION:
;database.srku.dk.		IN	DS

;; ANSWER SECTION:
database.srku.dk.	21599	IN	CNAME	database.studenterraad.dk.
database.srku.dk.	21599	IN	RRSIG	CNAME 5 3 43200 20150706020221
20150606020221 37065 srku.dk.
edqGhVL0fNgBerYXlo8X2dV00DJ5c7cw31IT5zhAx0SMK7VXUw9/WwMg
ltYJnn0Xbo8uLr73KB1758PBpMQ0Jg==
database.studenterraad.dk. 21599 IN	CNAME	web21.sd.eurovps.com.
database.studenterraad.dk. 21599 IN	RRSIG	CNAME 5 3 43200 20150711144201
20150611144201 36045 studenterraad.dk.
czsVXeiOz5ZzMe830RUeMc6lT+ZsFDn6HzttyxvR2IXxeD3W4965JzA2
aTYWuW/Y3/W/7AHfC9vd6L0yi4HlBw==

;; AUTHORITY SECTION:
eurovps.com.		59	IN	SOA	ns2.eurovps.com. supervisor.eurovps.com.
2015060400 14400 7200 604800 1800


So, signed proof that the DS should be in eurovps.com. Finally, a query
for DS  eurovps.com. gives

;; QUESTION SECTION:
;eurovps.com.			IN	DS

;; AUTHORITY SECTION:
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 21599 IN NSEC3 1 1 0 -
CK0QFMDQRCSRU0651QLVA1JQB21IF7UR NS SOA RRSIG DNSKEY NSEC3PARAM
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 21599 IN RRSIG NSEC3 8 2 86400
20150617050222 20150610035222 33878 com.
BmRR63rU6MqGAP9OAIhSPYjyM6iA1luC5NmUC3+GVlu2al8QbB2e5qAj
cVZnVsV3+GmRY0XPm1p2dEwW1tlMai2zU0Z+bo8EnMK7l95riZ/CRrQz
/btectiRyve7gL1jYgUrprivGuA5lHHCaHDufqcphbqOBQc2vGgf5b0Q msM=
com.			899	IN	SOA	a.gtld-servers.net. nstld.verisign-grs.com. 1434140903
1800 900 604800 86400
com.			899	IN	RRSIG	SOA 8 1 900 20150619202823 20150612191823 33878 com.
MkHrPzyePiZPSJ+L6ikL6mgyJIncZCj2J6I6iP3MPU2K1u6L3zaERQjM
WYMD3mozBp23MsWJ6B4Y2MAAFa48Cox744ZaL/tu/Gi07FeDNEV5qlIJ
VS3bgocZ3ZBRQyIY+NkxsmXBuzLB3dnbDKKewTkW8uOqcVlcePxuoeJ6 UdU=
1KHVDCFLLCJPF012Q9NBF47HKCHQJ9O3.com. 21599 IN NSEC3 1 1 0 -
1KI1CILTVQVH1Q1MTU3R9OCHA1FLB28R NS DS RRSIG
1KHVDCFLLCJPF012Q9NBF47HKCHQJ9O3.com. 21599 IN RRSIG NSEC3 8 2 86400
20150618042727 20150611031727 33878 com.
q8FFRw2b/pE/6n2S1GwetYD+NXzOA7BS0LeKDblxlgOwx7G6yl9u0euE
FH93Q0aw36nUjGp9YRRu6ZjriJHQR6a5wawYvOBe74IZQhJ8XBwkhQ76
GbEDQB8Tv6p43seg8nnbhmJp61/OLa5CM0t1pQ9yUvhkquaPXv8vvIs+ e7M=

Proof that there's no DS, so the original, unvalidatable answer can stand.

The code got lost somewhere in the CNAMES when trying to prove
non-existence of the DS. I've just checked in a fix, and it behaves now.

Cheers,

Simon.


dnsmasq: query[A] database.srku.dk from 127.0.0.1
dnsmasq: forwarded database.srku.dk to 8.8.8.8
dnsmasq: dnssec-query[DNSKEY] srku.dk to 8.8.8.8
dnsmasq: dnssec-query[DS] srku.dk to 8.8.8.8
dnsmasq: dnssec-query[DNSKEY] dk to 8.8.8.8
dnsmasq: dnssec-query[DS] dk to 8.8.8.8
dnsmasq: dnssec-query[DNSKEY] . to 8.8.8.8
dnsmasq: reply . is DNSKEY keytag 48613
dnsmasq: reply . is DNSKEY keytag 19036
dnsmasq: reply dk is DS keytag 61294
dnsmasq: reply dk is DNSKEY keytag 40794
dnsmasq: reply dk is DNSKEY keytag 61294
dnsmasq: reply dk is DNSKEY keytag 1804
dnsmasq: reply dk is DNSKEY keytag 52689
dnsmasq: reply srku.dk is DS keytag 2083
dnsmasq: reply srku.dk is DNSKEY keytag 37065
dnsmasq: reply srku.dk is DNSKEY keytag 2083
dnsmasq: dnssec-query[DNSKEY] studenterraad.dk to 8.8.8.8
dnsmasq: dnssec-query[DS] studenterraad.dk to 8.8.8.8
dnsmasq: reply studenterraad.dk is DS keytag 12253
dnsmasq: reply studenterraad.dk is DNSKEY keytag 36045
dnsmasq: reply studenterraad.dk is DNSKEY keytag 12253
dnsmasq: dnssec-query[DS] database.studenterraad.dk to 8.8.8.8
dnsmasq: dnssec-query[DS] com to 8.8.8.8
dnsmasq: reply com is DS keytag 30909
dnsmasq: dnssec-query[DS] eurovps.com to 8.8.8.8
dnsmasq: dnssec-query[DNSKEY] com to 8.8.8.8
dnsmasq: reply com is DNSKEY keytag 33878
dnsmasq: reply com is DNSKEY keytag 30909
dnsmasq: reply eurovps.com is no DS
dnsmasq: validation result is INSECURE
dnsmasq: reply database.srku.dk is <CNAME>
dnsmasq: reply database.studenterraad.dk is <CNAME>
dnsmasq: reply web21.sd.eurovps.com is 77.235.54.116





On 11/06/15 17:03, Toke Høiland-Jørgensen wrote:
> So I'm getting getting DNSSEC failures when trying to lookup the domain
> 'database.srku.dk'.
> 
> 'dnssec' and 'dnssec-check-unsigned' are both enabled in the dnsmasq config.
> 
> The relevant dnsmasq log with log-queries enabled:
> 
> Jun 11 17:56:35 gauss dnsmasq[29455]: query[A] database.srku.dk from 10.42.8.5
> Jun 11 17:56:35 gauss dnsmasq[29455]: forwarded database.srku.dk to ::1
> Jun 11 17:56:35 gauss dnsmasq[29455]: dnssec-query[DNSKEY] srku.dk to ::1
> Jun 11 17:56:35 gauss dnsmasq[29455]: dnssec-query[DS] srku.dk to ::1
> Jun 11 17:56:35 gauss dnsmasq[29455]: reply srku.dk is DS keytag 2083
> Jun 11 17:56:35 gauss dnsmasq[29455]: reply srku.dk is DNSKEY keytag 37065
> Jun 11 17:56:35 gauss dnsmasq[29455]: reply srku.dk is DNSKEY keytag 2083
> Jun 11 17:56:35 gauss dnsmasq[29455]: dnssec-query[DNSKEY] studenterraad.dk to ::1
> Jun 11 17:56:35 gauss dnsmasq[29455]: dnssec-query[DS] studenterraad.dk to ::1
> Jun 11 17:56:35 gauss dnsmasq[29455]: reply studenterraad.dk is DS keytag 12253
> Jun 11 17:56:35 gauss dnsmasq[29455]: reply studenterraad.dk is DNSKEY keytag 12253
> Jun 11 17:56:35 gauss dnsmasq[29455]: reply studenterraad.dk is DNSKEY keytag 36045
> Jun 11 17:56:35 gauss dnsmasq[29455]: dnssec-query[DS] database.studenterraad.dk to ::1
> Jun 11 17:56:35 gauss dnsmasq[29455]: reply database.studenterraad.dk is BOGUS DS
> Jun 11 17:56:35 gauss dnsmasq[29455]: validation database.srku.dk is BOGUS
> Jun 11 17:56:35 gauss dnsmasq[29455]: reply database.srku.dk is <CNAME>
> Jun 11 17:56:35 gauss dnsmasq[29455]: reply database.studenterraad.dk is <CNAME>
> Jun 11 17:56:35 gauss dnsmasq[29455]: reply web21.sd.eurovps.com is 77.235.54.116
> 
> Trying the query with dig seems to work:
> 
> $ dig +trace +dnssec database.studenterraad.dk @8.8.8.8
> 
> ; <<>> DiG 9.9.2-P2 <<>> +trace +dnssec database.studenterraad.dk @8.8.8.8
> ;; global options: +cmd
> .			3175	IN	NS	l.root-servers.net.
> .			3175	IN	NS	j.root-servers.net.
> .			3175	IN	NS	c.root-servers.net.
> .			3175	IN	NS	f.root-servers.net.
> .			3175	IN	NS	g.root-servers.net.
> .			3175	IN	NS	b.root-servers.net.
> .			3175	IN	NS	k.root-servers.net.
> .			3175	IN	NS	d.root-servers.net.
> .			3175	IN	NS	i.root-servers.net.
> .			3175	IN	NS	a.root-servers.net.
> .			3175	IN	NS	e.root-servers.net.
> .			3175	IN	NS	m.root-servers.net.
> .			3175	IN	NS	h.root-servers.net.
> .			3175	IN	RRSIG	NS 8 0 518400 20150620170000 20150610160000 48613 . AVDPr19HNLu7NCcaE0NEJA++XTWfAzXdPe6x0uPW7ejcE62PAUl/MfEo FGM6+ogRDYFT0X0qpMhLhaUNtsqJ3drCZfRnlt7yZk7uS6QWXokqDE7j A6iyVF1C148QV5cEndaGpv2L6yS16zF3JUSJBhCtflrnjvrYNUQb27Iy WO4=
> ;; Received 397 bytes from 8.8.8.8#53(8.8.8.8) in 21 ms
> 
> dk.			172800	IN	NS	b.nic.dk.
> dk.			172800	IN	NS	a.nic.dk.
> dk.			172800	IN	NS	l.nic.dk.
> dk.			172800	IN	NS	c.nic.dk.
> dk.			172800	IN	NS	s.nic.dk.
> dk.			172800	IN	NS	p.nic.dk.
> dk.			86400	IN	DS	61294 8 2 7512ABC9F08F74085D4AEC9E7CC6DC402A689F146F9AAFDAE11FCE5D 3ADCA25E
> dk.			86400	IN	RRSIG	DS 8 1 86400 20150621050000 20150611040000 48613 . MdgBbP0CuPMGNATQrtCEetXyGNzpAyxOPHWgwRUynnAhDcE62A+V10KD YWzADm9HynztDvJXUOehr3sNU5GGKKpUMlI81x3qo8UliNH6MBfBNoaN kaKOjeCt4+KH13CsbII5If1a5knH1NqdXIr7YASsYpf4c8nMLlfcsHZP Hf8=
> ;; Received 569 bytes from 192.228.79.201#53(192.228.79.201) in 190 ms
> 
> studenterraad.dk.	86400	IN	NS	ns2.gratisdns.dk.
> studenterraad.dk.	86400	IN	NS	ns4.gratisdns.dk.
> studenterraad.dk.	86400	IN	NS	ns5.gratisdns.dk.
> studenterraad.dk.	86400	IN	NS	ns1.gratisdns.dk.
> studenterraad.dk.	86400	IN	NS	ns3.gratisdns.dk.
> studenterraad.dk.	7200	IN	DS	12253 5 1 225802A8082D4C8E6FA9F494DDB3A2689809FA7D
> studenterraad.dk.	7200	IN	RRSIG	DS 8 2 7200 20150708024337 20150610020313 1804 dk. v1N9I/nBESCEQ7Sakcz+eriU4uWF41DUGq9pubjcsYe8n6THEdfWp4ds PKLp1MSV9RalAyspdjxp84He9QloRx0KIkgCy3EZX6RlrdK8miyzzyo7 7uNa5vzaJBNILz2V64H8dLqlk9fx3TBwQeAS6msZRdT4fV/VEs3STVMb xXVLj37+KgoehwtldZ3SgAr7fTJQYuGESsCH5YDwiCtU30h/Cen8SZFH YGW8BYazgBgG+fneRRluuPwHPrZBIpggq+Ump80uJWXLhduPEJ3gj8o4 5jtKAbvDrlpo8Ai/kmcyFJdRgDzGIJzRpl5KFjdlhkX2BnqoaYG08PZT vIt6AA==
> ;; Received 672 bytes from 2001:678:78:42:ad::53#53(2001:678:78:42:ad::53) in 36 ms
> 
> database.studenterraad.dk. 43200 IN	CNAME	web21.sd.eurovps.com.
> database.studenterraad.dk. 43200 IN	RRSIG	CNAME 5 3 43200 20150711144201 20150611144201 36045 studenterraad.dk. czsVXeiOz5ZzMe830RUeMc6lT+ZsFDn6HzttyxvR2IXxeD3W4965JzA2 aTYWuW/Y3/W/7AHfC9vd6L0yi4HlBw==
> ;; Received 200 bytes from 2a02:9d0:3002:1::2#53(2a02:9d0:3002:1::2) in 14 ms
> 
> 
> 
> 
> Is this a dnsmasq bug or is something else wrong? I can't seem to
> resolve anything in the studenterraad.dk zone through dnsmasq.
> 
> -Toke
> 
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>

More information about the Dnsmasq-discuss mailing list