[Dnsmasq-discuss] Wildcard Domain resolving does not work with DNSSEC
Simon Kelley
simon at thekelleys.org.uk
Mon Jan 4 15:54:58 GMT 2016
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
What release are you using, Uwe.
I just tried the git-HEAD code, and pangaea.de is OK, both
issues.pangea.de, which is a genuine record, and simon.pangea.de which
is an expansion of the wildcard
;simon.pangaea.de. IN A
;; ANSWER SECTION:
simon.pangaea.de. 21599 IN A 134.1.2.171
simon.pangaea.de. 21599 IN RRSIG A 7 2 28800 20160109144508
20151226151023 12714 pangaea.de.
jwQUt4OJRlBEE3PUF6cEWJA6gOLWPpBWYbJHLIkR4tdGJh/kmtOk7T9Q
MlSbChj51bhkV6oCQ++OhrsogYJ9qFpcVz8kVlEEfs08/Z1kNBe/dg3m
HaAiyVVwONdyfe6dSfcYR3ZrH1PBWuxHDdbO8zGI8xGThSuZiIi1WEFC L64=
;; AUTHORITY SECTION:
pangaea.de. 21599 IN NS ns2.domaindiscount24.net.
pangaea.de. 21599 IN NS ns3.domaindiscount24.net.
pangaea.de. 21599 IN NS ns1.domaindiscount24.net.
pangaea.de. 21599 IN RRSIG NS 7 2 28800 20160109071640 20151226151023
12714 pangaea.de.
l7sVnSXwN21lXvsANvjVxGyeh3c3rxlmg3ctfAShdvZpS/otk7L/HN8p
O3sSJ83HFfl7QAmfoF/P3cy2yilmykJv3von/ojzXVeS3tpTAUzfALql
maoKds12FcjyLVJDgEzi0xKG/DTmm2KG1bZHzXPzMVb4beZnzFN5twLK W+g=
ram3pr4d5q9klnm2dsopmt3hjmua0mf6.pangaea.de. 3599 IN NSEC3 1 0 5
89D0BF16A5176B72 U1NCQMCLBNAMOFE2B186713NF2I82HUC CNAME RRSIG
ram3pr4d5q9klnm2dsopmt3hjmua0mf6.pangaea.de. 3599 IN RRSIG NSEC3 7 3
3600 20160111155643 20151228181431 12714 pangaea.de.
JuqEskBXSOC+3d+a2VPrlLlvQgMsiIa+duYpe/egYi4M9UdixtzDfYs2
qWJpDqlsO3lf5Eeeh2bbrZudnYmjQ9q4i8viPZO2j+nGdDCASFNUXzHb
B7ynmS1Ba3393TAiCoYbPKbf5HURNRDjR3T6m4dUriYPGJM7mc6Q7Cu+ MRM=
The 0skar.cz test domains have very long dates on the signature
expiration fields, which found a bug in that code. Having fixed that,
I can validate everything that Google DNS validates.
Cheers,
Simon.
On 04/01/16 14:48, Uwe Schindler wrote:
> Hi,
>
> I found out that resolving of DNSSEC signed wildcard domains does
> not work correctly with dnsmasq. I think the problem is that it
> looks for a signature of the requested domain name and not the
> wildcard.
>
> The following fails:
>
> $ dig issues.pangaea.de
>
> ; <<>> DiG 9.9.5-9+deb8u4-Debian <<>> issues.pangaea.de ;; global
> options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status:
> SERVFAIL, id: 59252 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0,
> AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;;
> QUESTION SECTION: ;issues.pangaea.de. IN A
>
> ;; Query time: 18 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN:
> Mon Jan 04 15:43:42 CET 2016 ;; MSG SIZE rcvd: 46
>
>
> The reason is: "issues.pangaea.de" is covered by a star domain
> "*.pangaea.de" that is correctly signed (tested from another server
> - not using dnsmasq):
>
> $ dig +dnssec *.pangaea.de
>
> ; <<>> DiG 9.8.1-P1 <<>> +dnssec '*.pangaea.de' ;; global options:
> +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR,
> id: 8436 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4,
> ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;;
> QUESTION SECTION: ;*.pangaea.de. IN A
>
> ;; ANSWER SECTION: *.pangaea.de. 28790 IN A
> 134.1.2.171 *.pangaea.de. 28790 IN RRSIG A 7 2
> 28800 20160109144508 20151226151023 12714 pangaea.de.
> jwQUt4OJRlBEE3PUF6cEWJA6gOLWPpBWYbJHLIkR4tdGJh/kmtOk7T9Q
> MlSbChj51bhkV6oCQ++OhrsogYJ9qFpcVz8kVlEEfs08/Z1kNBe/dg3m
> HaAiyVVwONdyfe6dSfcYR3ZrH1PBWuxHDdbO8zGI8xGThSuZiIi1WEFC L64=
>
> ;; AUTHORITY SECTION: pangaea.de. 28790 IN NS
> ns2.domaindiscount24.net. pangaea.de. 28790 IN
> NS ns3.domaindiscount24.net. pangaea.de. 28790
> IN NS ns1.domaindiscount24.net. pangaea.de.
> 28790 IN RRSIG NS 7 2 28800 20160109071640 20151226151023
> 12714 pangaea.de.
> l7sVnSXwN21lXvsANvjVxGyeh3c3rxlmg3ctfAShdvZpS/otk7L/HN8p
> O3sSJ83HFfl7QAmfoF/P3cy2yilmykJv3von/ojzXVeS3tpTAUzfALql
> maoKds12FcjyLVJDgEzi0xKG/DTmm2KG1bZHzXPzMVb4beZnzFN5twLK W+g=
>
> ;; Query time: 0 msec ;; SERVER: 85.25.128.10#53(85.25.128.10) ;;
> WHEN: Mon Jan 4 14:42:43 2016 ;; MSG SIZE rcvd: 471
>
> How should this be solved? This is another one where dnssec fails,
> so clearly a bug.
>
> There is a test page about exactly that case, which fails for me
> when resolving through dnsmasq: http://0skar.cz/dns/en/
>
> Uwe
>
> ----- Uwe Schindler H.-H.-Meier-Allee 63, D-28213 Bremen
> http://www.thetaphi.de eMail: uwe at thetaphi.de
>
>
>
>
> _______________________________________________ Dnsmasq-discuss
> mailing list Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iQIcBAEBCAAGBQJWipXSAAoJEBXN2mrhkTWiKtAQAJ3P1xuzpuF6QUGbTQHErbJ/
ypClZDMNRWuVy0vCF8rQjZoR1xlJU5RMawUzeXmqHgfOg1v148vyZWwG/7ECTfH+
zHziB7Fi0D+lo6fwXmFMMz7L0fXRmyK1YIvQ98+rJoSImV0H8eXJxyJzeh5+BQZG
FqzL25PntLLn3HetzwQddwdn6D3Ev4TbL5ECjSwoyFmRHz4U/T0hYq/+bAl2M3Ip
16rGMHa0xD10SSlKI/ZEVRhGXZba/di4rskIp9MEuBmNftchmFtjndSvs4hLTYnq
OB3oMbCfLzNL7zN23rzXZRWkoTPKkEKffS0hvnpEZRXPvD2mZKHsxx0M7iG75ZNE
cyg2vFiUVdv/vNNWEVenL6GTjLShv0zEwEJ6JhO89lF4PaCz7FEifldSw6YDVHnY
jhZ+IX/bSL3P4iWA1WvykaD7Edctq2gPkwjwljeNBOGHrdHWET3tDXopKzUkEHcz
rH/UKFr+p4OVaKJsKdIbJFnIgr8bK+kNbXLHHI2sr0hUAOG40j+HQ+ZPYAJW1gkW
3duZLds9fKIaQqy3Ria/4y2rtnS4BQmIoLXPD/BW4znNf5DBZAY11Cz5NIBheHAL
OEptaJpaIVQgKglbzIlVKDDHHyhC0TJDxr1H409yn4CMK1HC1wASgPLCsbLNR0Xd
u7aRdENLTmSfWXGDy3GS
=H7RO
-----END PGP SIGNATURE-----
More information about the Dnsmasq-discuss
mailing list