[Dnsmasq-discuss] Wildcard Domain resolving does not work with DNSSEC

[Uwe Schindler]

Hi,

> I just tried the git-HEAD code, and pangaea.de is OK, both
> issues.pangea.de, which is a genuine record, and simon.pangea.de which
> is an expansion of the wildcard

I changed issues.pangaea.de to a genuine record already (this is how I identified the issue). The test with simon.pangaea.de now also passes (test4), but this one is broken with 2.75.

Sorry for changing the DNS record after I submitted to this mailing list.

> ;simon.pangaea.de.		IN	A
> 
> ;; ANSWER SECTION:
> simon.pangaea.de.	21599	IN	A	134.1.2.171
> simon.pangaea.de.	21599	IN	RRSIG	A 7 2 28800 20160109144508
> 20151226151023 12714 pangaea.de.
> jwQUt4OJRlBEE3PUF6cEWJA6gOLWPpBWYbJHLIkR4tdGJh/kmtOk7T9Q
> MlSbChj51bhkV6oCQ++OhrsogYJ9qFpcVz8kVlEEfs08/Z1kNBe/dg3m
> HaAiyVVwONdyfe6dSfcYR3ZrH1PBWuxHDdbO8zGI8xGThSuZiIi1WEFC L64=
> 
> ;; AUTHORITY SECTION:
> pangaea.de.		21599	IN	NS	ns2.domaindiscount24.net.
> pangaea.de.		21599	IN	NS	ns3.domaindiscount24.net.
> pangaea.de.		21599	IN	NS	ns1.domaindiscount24.net.
> pangaea.de.		21599	IN	RRSIG	NS 7 2 28800 20160109071640
> 20151226151023
> 12714 pangaea.de.
> l7sVnSXwN21lXvsANvjVxGyeh3c3rxlmg3ctfAShdvZpS/otk7L/HN8p
> O3sSJ83HFfl7QAmfoF/P3cy2yilmykJv3von/ojzXVeS3tpTAUzfALql
> maoKds12FcjyLVJDgEzi0xKG/DTmm2KG1bZHzXPzMVb4beZnzFN5twLK W+g=
> ram3pr4d5q9klnm2dsopmt3hjmua0mf6.pangaea.de. 3599 IN NSEC3 1 0 5
> 89D0BF16A5176B72 U1NCQMCLBNAMOFE2B186713NF2I82HUC CNAME
> RRSIG
> ram3pr4d5q9klnm2dsopmt3hjmua0mf6.pangaea.de. 3599 IN RRSIG NSEC3 7
> 3
> 3600 20160111155643 20151228181431 12714 pangaea.de.
> JuqEskBXSOC+3d+a2VPrlLlvQgMsiIa+duYpe/egYi4M9UdixtzDfYs2
> qWJpDqlsO3lf5Eeeh2bbrZudnYmjQ9q4i8viPZO2j+nGdDCASFNUXzHb
> B7ynmS1Ba3393TAiCoYbPKbf5HURNRDjR3T6m4dUriYPGJM7mc6Q7Cu+
> MRM=
> 
> 
> The 0skar.cz test domains have very long dates on the signature
> expiration fields, which found a bug in that code. Having fixed that,
> I can validate everything that Google DNS validates.
> 
> Cheers,
> 
> Simon.
> 
> 
> 
> On 04/01/16 14:48, Uwe Schindler wrote:
> > Hi,
> >
> > I found out that resolving of DNSSEC signed wildcard domains does
> > not work correctly with dnsmasq. I think the problem is that it
> > looks for a signature of the requested domain name and not the
> > wildcard.
> >
> > The following fails:
> >
> > $ dig issues.pangaea.de
> >
> > ; <<>> DiG 9.9.5-9+deb8u4-Debian <<>> issues.pangaea.de ;; global
> > options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status:
> > SERVFAIL, id: 59252 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0,
> > AUTHORITY: 0, ADDITIONAL: 1
> >
> > ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;;
> > QUESTION SECTION: ;issues.pangaea.de.             IN      A
> >
> > ;; Query time: 18 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN:
> > Mon Jan 04 15:43:42 CET 2016 ;; MSG SIZE  rcvd: 46
> >
> >
> > The reason is: "issues.pangaea.de" is covered by a star domain
> > "*.pangaea.de" that is correctly signed (tested from another server
> > - not using dnsmasq):
> >
> > $ dig +dnssec *.pangaea.de
> >
> > ; <<>> DiG 9.8.1-P1 <<>> +dnssec '*.pangaea.de' ;; global options:
> > +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR,
> > id: 8436 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4,
> > ADDITIONAL: 1
> >
> > ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;;
> > QUESTION SECTION: ;*.pangaea.de.                  IN      A
> >
> > ;; ANSWER SECTION: *.pangaea.de.           28790   IN      A
> > 134.1.2.171 *.pangaea.de.           28790   IN      RRSIG   A 7 2
> > 28800 20160109144508 20151226151023 12714 pangaea.de.
> > jwQUt4OJRlBEE3PUF6cEWJA6gOLWPpBWYbJHLIkR4tdGJh/kmtOk7T9Q
> > MlSbChj51bhkV6oCQ++OhrsogYJ9qFpcVz8kVlEEfs08/Z1kNBe/dg3m
> > HaAiyVVwONdyfe6dSfcYR3ZrH1PBWuxHDdbO8zGI8xGThSuZiIi1WEFC L64=
> >
> > ;; AUTHORITY SECTION: pangaea.de.             28790   IN      NS
> > ns2.domaindiscount24.net. pangaea.de.             28790   IN
> > NS      ns3.domaindiscount24.net. pangaea.de.             28790
> > IN      NS      ns1.domaindiscount24.net. pangaea.de.
> > 28790   IN      RRSIG   NS 7 2 28800 20160109071640 20151226151023
> > 12714 pangaea.de.
> > l7sVnSXwN21lXvsANvjVxGyeh3c3rxlmg3ctfAShdvZpS/otk7L/HN8p
> > O3sSJ83HFfl7QAmfoF/P3cy2yilmykJv3von/ojzXVeS3tpTAUzfALql
> > maoKds12FcjyLVJDgEzi0xKG/DTmm2KG1bZHzXPzMVb4beZnzFN5twLK
> W+g=
> >
> > ;; Query time: 0 msec ;; SERVER: 85.25.128.10#53(85.25.128.10) ;;
> > WHEN: Mon Jan  4 14:42:43 2016 ;; MSG SIZE  rcvd: 471
> >
> > How should this be solved? This is another one where dnssec fails,
> > so clearly a bug.
> >
> > There is a test page about exactly that case, which fails for me
> > when resolving through dnsmasq: http://0skar.cz/dns/en/
> >
> > Uwe
> >
> > ----- Uwe Schindler H.-H.-Meier-Allee 63, D-28213 Bremen
> > http://www.thetaphi.de eMail: uwe at thetaphi.de
> >
> >
> >
> >
> > _______________________________________________ Dnsmasq-
> discuss
> > mailing list Dnsmasq-discuss at lists.thekelleys.org.uk
> > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> >
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (GNU/Linux)
> 
> iQIcBAEBCAAGBQJWipXSAAoJEBXN2mrhkTWiKtAQAJ3P1xuzpuF6QUGbTQHE
> rbJ/
> ypClZDMNRWuVy0vCF8rQjZoR1xlJU5RMawUzeXmqHgfOg1v148vyZWwG/7E
> CTfH+
> zHziB7Fi0D+lo6fwXmFMMz7L0fXRmyK1YIvQ98+rJoSImV0H8eXJxyJzeh5+BQZ
> G
> FqzL25PntLLn3HetzwQddwdn6D3Ev4TbL5ECjSwoyFmRHz4U/T0hYq/+bAl2M3
> Ip
> 16rGMHa0xD10SSlKI/ZEVRhGXZba/di4rskIp9MEuBmNftchmFtjndSvs4hLTYnq
> OB3oMbCfLzNL7zN23rzXZRWkoTPKkEKffS0hvnpEZRXPvD2mZKHsxx0M7iG75
> ZNE
> cyg2vFiUVdv/vNNWEVenL6GTjLShv0zEwEJ6JhO89lF4PaCz7FEifldSw6YDVHnY
> jhZ+IX/bSL3P4iWA1WvykaD7Edctq2gPkwjwljeNBOGHrdHWET3tDXopKzUkEH
> cz
> rH/UKFr+p4OVaKJsKdIbJFnIgr8bK+kNbXLHHI2sr0hUAOG40j+HQ+ZPYAJW1gk
> W
> 3duZLds9fKIaQqy3Ria/4y2rtnS4BQmIoLXPD/BW4znNf5DBZAY11Cz5NIBheHAL
> OEptaJpaIVQgKglbzIlVKDDHHyhC0TJDxr1H409yn4CMK1HC1wASgPLCsbLNR0X
> d
> u7aRdENLTmSfWXGDy3GS
> =H7RO
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss