[Dnsmasq-discuss] Cannot resolve csail.mit.edu with --dnssec
Simon Kelley
simon at thekelleys.org.uk
Mon Jul 27 19:08:37 BST 2015
I just committed a fix to this.
Cheers,
Simon.
On 17/07/15 10:54, Anders Kaseorg wrote:
> csail.mit.edu is a signed zone inside the unsigned mit.edu zone. (It
> happens to be registered in dlv.isc.org, but that’s not relevant to
> dnsmasq.) Since an NSEC3 record in edu verifies that mit.edu is
> unsigned, this should be fine. However, dnsmasq thinks that everything
> in csail.mit.edu is BOGUS and returns SERVFAIL. This occurs even
> without --dnssec-check-unsigned.
>
> Log output from current master:
>
> $ make COPTS='-DHAVE_DNSSEC'
> $ src/dnsmasq -d --log-queries=extra --dnssec -C trust-anchors.conf -R
> -S 8.8.8.8
> dnsmasq: started, version 2.74rc3 cachesize 150
> dnsmasq: compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN
> DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth DNSSEC loop-detect inotify
> dnsmasq: DNSSEC validation enabled
> dnsmasq: using nameserver 8.8.8.8#53
> dnsmasq: read /etc/hosts - 7 addresses
> dnsmasq: 1 127.0.0.1/42010 query[A] csail.mit.edu from 127.0.0.1
> dnsmasq: 1 127.0.0.1/42010 forwarded csail.mit.edu to 8.8.8.8
> dnsmasq: * 127.0.0.1/42010 dnssec-query[DNSKEY] csail.mit.edu to 8.8.8.8
> dnsmasq: * 127.0.0.1/42010 dnssec-query[DS] csail.mit.edu to 8.8.8.8
> dnsmasq: 1 127.0.0.1/42010 validation csail.mit.edu is BOGUS
> dnsmasq: 1 127.0.0.1/42010 reply csail.mit.edu is 128.30.2.121
>
> Some quick debugging shows that the translation from STAT_NO_SIG to
> STAT_BOGUS occurs here at src/forward.c:854:
>
> else if (status == STAT_NO_NS || status == STAT_NO_SIG)
> status = STAT_BOGUS;
>
> git bisect blames commit 97e618a0e3f29465acc689d87288596b006f197e
> “DNSSEC: do top-down search for limit of secure delegation.” (For what
> it’s worth, I know you put a lot of work into that commit at my
> suggestion, so I don’t want to sound ungrateful or anything!)
>
> Anders
>
More information about the Dnsmasq-discuss
mailing list