[Dnsmasq-discuss] Dnsmasq masks dnssec signatures for AAAA records when serving local A records for the same hostname
simon at thekelleys.org.uk
Mon Jul 13 14:45:49 BST 2015
-----BEGIN PGP SIGNED MESSAGE-----
On 09/07/15 16:45, Felix Lechner wrote:
> Hello Simon,
> What version of dnsmasq are you using?
> Shibby's changelog states that an update to dnsmaq 2.72+ occurred
> in his Tomato version 1.25. Presumably that is also in the Tomato
> 1.28 on my router.
> – dnsmasq 2.72+ up to December 9 2014 – thx @toastman
>> Are you saying that dnsmasq strips the signatures from the
>> answers which arrive from upstream?
> Yes. My zone defines AAAA records for some local hosts behind NAT.
> Those records do not validate on local validating resolvers when
> using the Tomato router for DNS.
> Quering dnsmasq shows the signatures are not forwarded. (Other
> record types such as SSH fingerprints are apparently also not
> forwarded.) The AAAA record is forwarded.
My best guess is that dnsmasq is answering the queries without ever
forwarding them to the upstream nameserver, because it has the
information to do that (from /etc/hosts or similar, or DHCP leases.)
Can you add --log-queries to the dnsmasq configuration. That will tell
us what's happening.
> dig @tomato-router -t any host-behind-nat-with-global-aaaa-record
> shows the local A record and the global AAAA records, but no RRSIG,
> NSEC or SSHFP records.
> dig @tomato-router -t any
> shows global A, AAAA, RRSIG, NSEC and SSHFP records.
> dig @authoritative-server -t any
> shows global AAAA, RRSIG, NSEC and SSHFP records, but of course no
> local A record.
> I could avoid the router for DNS, but then I lose the local A
> records, which I need because some devices autoconfigure via DHCP
> but do not support IPv6.
>> Do you have DNSSEC validation enabled in dnsmasq?
> I don't think it would be enabled in Tomato. I did not modify the
> default configuration.
>> On 30/06/15 04:07, Felix Lechner wrote:
>>> My tomato router does not forward DNSSEC signatures for AAAA
>>> records when also serving local A records for the same
>>> hostnames from DHCP.
>>> A local validating resolver which uses dnsmasq for caching
>>> will then not show the AAAA records from the signed zone.
>>> Can I turn off the local DHCP hostname resolution (or the
>>> signature masking, if it is intentional), please?
>>> Thank you!
>>> Tomato firmware version is 1.28.
> _______________________________________________ Dnsmasq-discuss
> mailing list Dnsmasq-discuss at lists.thekelleys.org.uk
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
-----END PGP SIGNATURE-----
More information about the Dnsmasq-discuss