[Dnsmasq-discuss] dnssec-check-unsigned failure with v2.73rc9

Stéphane Guedon stephane at 22decembre.eu
Sun Jun 14 08:06:53 BST 2015


Le vendredi 12 juin 2015, 13:16:09 Maciej Soltysiak a écrit :
> I think I have discovered what the problem is and it's unlikely to be
> dnsmasq.
> 
> What I do is that I have a setup which is basically a split horizon:
> - users who are not on the service get A record for using.dnscrypt from a
> DNSSEC signed zone
> - users who are on the service get *a different* A record for
> using.dnscrypt.pl from unbound, without sigs!
> 
> A user on my service, who has dnssec-check-unsigned enabled gets an
> unsigned response from a signed zone and the intended reaction of dnsmasq
> kicks in.
> 
> Not a bug then. Is my understanding correct?

As far as I understand, I have the same issue (except that dnsmasq itself is 
serving the non signed zone and unbound the signed) !

To solve that, I propose to make the unsigned zone on another domain or zone 
than the signed one.

server.domain.org is signed and the public face of your server.

server.intern.domain.org is unsigned. Your users can then use this address, 
and the dns can still have different answer depending where they are.

Do you understand me ?

Do you think it is a good idea ? (I am thinking of using it for my case).

> 
> Best regards,
> Maciej
> 
> On Fri, Jun 12, 2015 at 10:19 AM, Maciej Soltysiak <maciej at soltysiak.com>
> 
> wrote:
> > Hi,
> > 
> > One of my users raised an issue that using.dnscrypt.pl does not resolve
> > when dnssec-check-unsigned is turned on.
> > I replicated the issue with most recent openwrt Chaos Calmer package:
> > dnsmasq-full.
> > 
> > When dnssec and trust anhcor are set and dnssec-check-unsigned is as well,
> > dnsmasq says BOGUS DS:
> > Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: query[A]
> > using.dnscrypt.pl from fdea:7beb:d9e3:0:d928:e795:8461:1896
> > Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: forwarded
> > using.dnscrypt.pl to 127.0.0.1
> > Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: dnssec-query[DS]
> > using.dnscrypt.pl to 127.0.0.1
> > Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: reply
> > using.dnscrypt.pl is BOGUS DS
> > Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: validation
> > using.dnscrypt.pl is BOGUS
> > Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: reply
> > using.dnscrypt.pl is 178.62.233.48
> > Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: query[A]
> > using.dnscrypt.pl from 192.168.1.206
> > Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: forwarded
> > using.dnscrypt.pl to 127.0.0.1
> > Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: query[A]
> > using.dnscrypt.pl from fdea:7beb:d9e3:0:d928:e795:8461:1896
> > Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: forwarded
> > using.dnscrypt.pl to 127.0.0.1
> > Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: dnssec-query[DS]
> > using.dnscrypt.pl to 127.0.0.1
> > Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: dnssec-query[DS]
> > using.dnscrypt.pl to 127.0.0.1
> > Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: reply
> > using.dnscrypt.pl is BOGUS DS
> > Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: validation
> > using.dnscrypt.pl is BOGUS
> > Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: reply
> > using.dnscrypt.pl is 178.62.233.48
> > Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: reply
> > using.dnscrypt.pl is BOGUS DS
> > Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: validation
> > using.dnscrypt.pl is BOGUS
> > Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: reply
> > using.dnscrypt.pl is 178.62.233.48
> > 
> > Verisign dnssec check are ok:
> > http://dnssec-debugger.verisignlabs.com/using.dnscrypt.pl
> > 
> > Oddly, dnscrypt.pl resolves fine. It also works fine if
> > dnssec-check-unsigned is turned off.
> > 
> > Not sure if rc10 fixes it, it's not in openwrt repo yet.
> > Any ideas?
> > 
> > Best regards,
> > Maciej Soltysiak
> > DNSCrypt Poland
> > https://dnscrypt.pl

-- 
Ce fichier signature.asc ? C'est une signature GPG.  
Si vous voulez savoir pourquoi j'utilise GPG et pourquoi vous le devriez 
aussi, vous pouvez lire mon article :  

http://www.22decembre.eu/2015/03/21/introduction-fr/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20150614/978a13b2/attachment.sig>


More information about the Dnsmasq-discuss mailing list