[Dnsmasq-discuss] Wildcard Domain resolving does not work with DNSSEC

Simon Kelley simon at thekelleys.org.uk
Mon Jan 4 15:54:58 GMT 2016


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

What release are you using, Uwe.

I just tried the git-HEAD code, and pangaea.de is OK, both
issues.pangea.de, which is a genuine record, and simon.pangea.de which
is an expansion of the wildcard

;simon.pangaea.de.		IN	A

;; ANSWER SECTION:
simon.pangaea.de.	21599	IN	A	134.1.2.171
simon.pangaea.de.	21599	IN	RRSIG	A 7 2 28800 20160109144508
20151226151023 12714 pangaea.de.
jwQUt4OJRlBEE3PUF6cEWJA6gOLWPpBWYbJHLIkR4tdGJh/kmtOk7T9Q
MlSbChj51bhkV6oCQ++OhrsogYJ9qFpcVz8kVlEEfs08/Z1kNBe/dg3m
HaAiyVVwONdyfe6dSfcYR3ZrH1PBWuxHDdbO8zGI8xGThSuZiIi1WEFC L64=

;; AUTHORITY SECTION:
pangaea.de.		21599	IN	NS	ns2.domaindiscount24.net.
pangaea.de.		21599	IN	NS	ns3.domaindiscount24.net.
pangaea.de.		21599	IN	NS	ns1.domaindiscount24.net.
pangaea.de.		21599	IN	RRSIG	NS 7 2 28800 20160109071640 20151226151023
12714 pangaea.de.
l7sVnSXwN21lXvsANvjVxGyeh3c3rxlmg3ctfAShdvZpS/otk7L/HN8p
O3sSJ83HFfl7QAmfoF/P3cy2yilmykJv3von/ojzXVeS3tpTAUzfALql
maoKds12FcjyLVJDgEzi0xKG/DTmm2KG1bZHzXPzMVb4beZnzFN5twLK W+g=
ram3pr4d5q9klnm2dsopmt3hjmua0mf6.pangaea.de. 3599 IN NSEC3 1 0 5
89D0BF16A5176B72 U1NCQMCLBNAMOFE2B186713NF2I82HUC CNAME RRSIG
ram3pr4d5q9klnm2dsopmt3hjmua0mf6.pangaea.de. 3599 IN RRSIG NSEC3 7 3
3600 20160111155643 20151228181431 12714 pangaea.de.
JuqEskBXSOC+3d+a2VPrlLlvQgMsiIa+duYpe/egYi4M9UdixtzDfYs2
qWJpDqlsO3lf5Eeeh2bbrZudnYmjQ9q4i8viPZO2j+nGdDCASFNUXzHb
B7ynmS1Ba3393TAiCoYbPKbf5HURNRDjR3T6m4dUriYPGJM7mc6Q7Cu+ MRM=


The 0skar.cz test domains have very long dates on the signature
expiration fields, which found a bug in that code. Having fixed that,
I can validate everything that Google DNS validates.

Cheers,

Simon.



On 04/01/16 14:48, Uwe Schindler wrote:
> Hi,
> 
> I found out that resolving of DNSSEC signed wildcard domains does
> not work correctly with dnsmasq. I think the problem is that it
> looks for a signature of the requested domain name and not the
> wildcard.
> 
> The following fails:
> 
> $ dig issues.pangaea.de
> 
> ; <<>> DiG 9.9.5-9+deb8u4-Debian <<>> issues.pangaea.de ;; global
> options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status:
> SERVFAIL, id: 59252 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0,
> AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;;
> QUESTION SECTION: ;issues.pangaea.de.             IN      A
> 
> ;; Query time: 18 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN:
> Mon Jan 04 15:43:42 CET 2016 ;; MSG SIZE  rcvd: 46
> 
> 
> The reason is: "issues.pangaea.de" is covered by a star domain
> "*.pangaea.de" that is correctly signed (tested from another server
> - not using dnsmasq):
> 
> $ dig +dnssec *.pangaea.de
> 
> ; <<>> DiG 9.8.1-P1 <<>> +dnssec '*.pangaea.de' ;; global options:
> +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR,
> id: 8436 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4,
> ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;;
> QUESTION SECTION: ;*.pangaea.de.                  IN      A
> 
> ;; ANSWER SECTION: *.pangaea.de.           28790   IN      A
> 134.1.2.171 *.pangaea.de.           28790   IN      RRSIG   A 7 2
> 28800 20160109144508 20151226151023 12714 pangaea.de.
> jwQUt4OJRlBEE3PUF6cEWJA6gOLWPpBWYbJHLIkR4tdGJh/kmtOk7T9Q
> MlSbChj51bhkV6oCQ++OhrsogYJ9qFpcVz8kVlEEfs08/Z1kNBe/dg3m
> HaAiyVVwONdyfe6dSfcYR3ZrH1PBWuxHDdbO8zGI8xGThSuZiIi1WEFC L64=
> 
> ;; AUTHORITY SECTION: pangaea.de.             28790   IN      NS
> ns2.domaindiscount24.net. pangaea.de.             28790   IN
> NS      ns3.domaindiscount24.net. pangaea.de.             28790
> IN      NS      ns1.domaindiscount24.net. pangaea.de.
> 28790   IN      RRSIG   NS 7 2 28800 20160109071640 20151226151023
> 12714 pangaea.de.
> l7sVnSXwN21lXvsANvjVxGyeh3c3rxlmg3ctfAShdvZpS/otk7L/HN8p
> O3sSJ83HFfl7QAmfoF/P3cy2yilmykJv3von/ojzXVeS3tpTAUzfALql
> maoKds12FcjyLVJDgEzi0xKG/DTmm2KG1bZHzXPzMVb4beZnzFN5twLK W+g=
> 
> ;; Query time: 0 msec ;; SERVER: 85.25.128.10#53(85.25.128.10) ;;
> WHEN: Mon Jan  4 14:42:43 2016 ;; MSG SIZE  rcvd: 471
> 
> How should this be solved? This is another one where dnssec fails,
> so clearly a bug.
> 
> There is a test page about exactly that case, which fails for me
> when resolving through dnsmasq: http://0skar.cz/dns/en/
> 
> Uwe
> 
> ----- Uwe Schindler H.-H.-Meier-Allee 63, D-28213 Bremen 
> http://www.thetaphi.de eMail: uwe at thetaphi.de
> 
> 
> 
> 
> _______________________________________________ Dnsmasq-discuss
> mailing list Dnsmasq-discuss at lists.thekelleys.org.uk 
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iQIcBAEBCAAGBQJWipXSAAoJEBXN2mrhkTWiKtAQAJ3P1xuzpuF6QUGbTQHErbJ/
ypClZDMNRWuVy0vCF8rQjZoR1xlJU5RMawUzeXmqHgfOg1v148vyZWwG/7ECTfH+
zHziB7Fi0D+lo6fwXmFMMz7L0fXRmyK1YIvQ98+rJoSImV0H8eXJxyJzeh5+BQZG
FqzL25PntLLn3HetzwQddwdn6D3Ev4TbL5ECjSwoyFmRHz4U/T0hYq/+bAl2M3Ip
16rGMHa0xD10SSlKI/ZEVRhGXZba/di4rskIp9MEuBmNftchmFtjndSvs4hLTYnq
OB3oMbCfLzNL7zN23rzXZRWkoTPKkEKffS0hvnpEZRXPvD2mZKHsxx0M7iG75ZNE
cyg2vFiUVdv/vNNWEVenL6GTjLShv0zEwEJ6JhO89lF4PaCz7FEifldSw6YDVHnY
jhZ+IX/bSL3P4iWA1WvykaD7Edctq2gPkwjwljeNBOGHrdHWET3tDXopKzUkEHcz
rH/UKFr+p4OVaKJsKdIbJFnIgr8bK+kNbXLHHI2sr0hUAOG40j+HQ+ZPYAJW1gkW
3duZLds9fKIaQqy3Ria/4y2rtnS4BQmIoLXPD/BW4znNf5DBZAY11Cz5NIBheHAL
OEptaJpaIVQgKglbzIlVKDDHHyhC0TJDxr1H409yn4CMK1HC1wASgPLCsbLNR0Xd
u7aRdENLTmSfWXGDy3GS
=H7RO
-----END PGP SIGNATURE-----



More information about the Dnsmasq-discuss mailing list