[Dnsmasq-discuss] DNSSEC failure with v2.73rc10

Simon Kelley simon at thekelleys.org.uk
Tue Sep 8 23:39:26 BST 2015


On 01/09/15 09:15, Toke Høiland-Jørgensen wrote:
> Toke Høiland-Jørgensen <toke at toke.dk> writes:
> 
>>> The two CNAME domains are signed, but the eurovps.com isnt.
>>>
>>> Hence the result of the A query is not validatable, and check-unsigned
>>> has to prove that's OK, by showing that there's a secure denial of a DS
>>> record covering the query
>>
>> Figured it probably had something to do with the transition from a
>> signed to an unsigned domain.
> 
> So, I ran into this failure again on dnsmasq-2.75:
> 
> Sep 01 10:11:50 gauss dnsmasq[28718]: query[A] database.srku.dk from 10.42.8.5
> Sep 01 10:11:50 gauss dnsmasq[28718]: forwarded database.srku.dk to ::1
> Sep 01 10:11:51 gauss dnsmasq[28718]: dnssec-query[DNSKEY] srku.dk to ::1
> Sep 01 10:11:51 gauss dnsmasq[28718]: dnssec-query[DS] srku.dk to ::1
> Sep 01 10:11:51 gauss dnsmasq[28718]: dnssec-query[DNSKEY] dk to ::1
> Sep 01 10:11:51 gauss dnsmasq[28718]: dnssec-query[DS] dk to ::1
> Sep 01 10:11:51 gauss dnsmasq[28718]: reply dk is DS keytag 61294
> Sep 01 10:11:51 gauss dnsmasq[28718]: reply dk is DNSKEY keytag 16800
> Sep 01 10:11:51 gauss dnsmasq[28718]: reply dk is DNSKEY keytag 61294
> Sep 01 10:11:51 gauss dnsmasq[28718]: reply dk is DNSKEY keytag 7203
> Sep 01 10:11:51 gauss dnsmasq[28718]: reply srku.dk is DS keytag 2083
> Sep 01 10:11:51 gauss dnsmasq[28718]: reply srku.dk is DNSKEY keytag 37065
> Sep 01 10:11:51 gauss dnsmasq[28718]: reply srku.dk is DNSKEY keytag 2083
> Sep 01 10:11:51 gauss dnsmasq[28718]: dnssec-query[DNSKEY] studenterraad.dk to ::1
> Sep 01 10:11:51 gauss dnsmasq[28718]: dnssec-query[DS] studenterraad.dk to ::1
> Sep 01 10:11:51 gauss dnsmasq[28718]: reply studenterraad.dk is DS keytag 12253
> Sep 01 10:11:51 gauss dnsmasq[28718]: reply studenterraad.dk is DNSKEY keytag 36045
> Sep 01 10:11:51 gauss dnsmasq[28718]: reply studenterraad.dk is DNSKEY keytag 12253
> Sep 01 10:11:51 gauss dnsmasq[28718]: dnssec-query[DS] database.studenterraad.dk to ::1
> Sep 01 10:11:51 gauss dnsmasq[28718]: validation database.srku.dk is BOGUS
> Sep 01 10:11:51 gauss dnsmasq[28718]: reply database.srku.dk is <CNAME>
> Sep 01 10:11:51 gauss dnsmasq[28718]: reply database.studenterraad.dk is <CNAME>
> Sep 01 10:11:51 gauss dnsmasq[28718]: reply web21.sd.eurovps.com is 77.235.54.116
> 
> 
> Turning off dnssec-check-unsigned makes the resolution succeed...
> 
> -Toke
> 

Strange. I'm sure that this was working. I can't remember clearly enough
to be able to tell of the domain data has changed. Anyway, it's tripping
over a dangling CNAME as answer to a DS query now. I have a fix which
seems to work, but I need to think on it a bit longer before committing
it......


Cheers,

Simon.




More information about the Dnsmasq-discuss mailing list