[Dnsmasq-discuss] Cannot resolve csail.mit.edu with --dnssec

Anders Kaseorg andersk at mit.edu
Fri Jul 17 10:54:04 BST 2015

csail.mit.edu is a signed zone inside the unsigned mit.edu zone.  (It 
happens to be registered in dlv.isc.org, but that’s not relevant to 
dnsmasq.)  Since an NSEC3 record in edu verifies that mit.edu is 
unsigned, this should be fine.  However, dnsmasq thinks that everything 
in csail.mit.edu is BOGUS and returns SERVFAIL.  This occurs even 
without --dnssec-check-unsigned.

Log output from current master:

$ src/dnsmasq -d --log-queries=extra --dnssec -C trust-anchors.conf -R 
dnsmasq: started, version 2.74rc3 cachesize 150
dnsmasq: compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN 
DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth DNSSEC loop-detect inotify
dnsmasq: DNSSEC validation enabled
dnsmasq: using nameserver
dnsmasq: read /etc/hosts - 7 addresses
dnsmasq: 1 query[A] csail.mit.edu from
dnsmasq: 1 forwarded csail.mit.edu to
dnsmasq: * dnssec-query[DNSKEY] csail.mit.edu to
dnsmasq: * dnssec-query[DS] csail.mit.edu to
dnsmasq: 1 validation csail.mit.edu is BOGUS
dnsmasq: 1 reply csail.mit.edu is

Some quick debugging shows that the translation from STAT_NO_SIG to 
STAT_BOGUS occurs here at src/forward.c:854:

              else if (status == STAT_NO_NS || status == STAT_NO_SIG)
                status = STAT_BOGUS;

git bisect blames commit 97e618a0e3f29465acc689d87288596b006f197e 
“DNSSEC: do top-down search for limit of secure delegation.”  (For what 
it’s worth, I know you put a lot of work into that commit at my 
suggestion, so I don’t want to sound ungrateful or anything!)


More information about the Dnsmasq-discuss mailing list