[Dnsmasq-discuss] DNSSEC and Mozilla domains not working

Simon Kelley simon at thekelleys.org.uk
Mon Jul 11 22:08:31 BST 2016


On 10/07/16 09:21, Marcel Mutter wrote:
> I have enabled a few weeks ago DNSSEC and all seems to be working.
> Yesterday I wanted to visit Mozilla.org and nothing happened. I see in
> that the request is being sent to the upstream nameserver however
> nothing is displayed by dnsmasq as response, I am running then "dnsmasq
> -d" with log enabled so I can see in realtime the output.
> 
> dnsmasq: query[A] ftp.mozilla.org from 192.168.xxx.xxx
> dnsmasq: forwarded ftp.mozilla.org to 194.109.9.99
> dnsmasq: dnssec-query[DS] org to 194.109.9.99
> dnsmasq: dnssec-query[DNSKEY] . to 194.109.9.99
> dnsmasq: reply . is DNSKEY keytag 19036, algo 8
> dnsmasq: reply . is DNSKEY keytag 60615, algo 8
> dnsmasq: reply . is DNSKEY keytag 46551, algo 8
> dnsmasq: reply org is DS keytag 9795, algo 7, digest 1
> dnsmasq: reply org is DS keytag 9795, algo 7, digest 2
> dnsmasq: dnssec-query[DS] mozilla.org to 194.109.9.99
> dnsmasq: dnssec-query[DNSKEY] org to 194.109.9.99
> dnsmasq: reply org is DNSKEY keytag 2097, algo 7
> dnsmasq: reply org is DNSKEY keytag 3177, algo 7
> dnsmasq: reply org is DNSKEY keytag 9795, algo 7
> dnsmasq: reply org is DNSKEY keytag 17883, algo 7
> dnsmasq: reply mozilla.org is DS keytag 44421, algo 7, digest 1
> dnsmasq: dnssec-query[DNSKEY] mozilla.org to 194.109.9.99
> 
> Also the same with mozilla.org and mozilla.com and firefox.com
> 
> The upstreamserver 194.109.9.99 is using Unbound.
> 
> When I directly to the upstream nameserver I get a good response. I am
> running dnsmasq 2.76-1 for Debian on the moment and I have updated it a
> few a hours ago from 2.72-3.
> 

I just tried all those domains using 2.76 and 8.8.8.8 upstream and all
behaved correctly. 194.109.9.99 won't talk to me, so I can't try that.

The upstream is clearly answering the direct question OK, but the
stalling of some of the DNSSEC queries needed to verify it. That could
be an upstream problem, or a problem with the authoritative servers for
the domain. ftp.mozilla.org is signed, but it's a CNAME to
cloudfront.org, so the DS from .org proving that cloudfront.org is not
signed is also required.

Are you still seeing the problem now, or has this resolved itself?

Cheers,

Simon.





More information about the Dnsmasq-discuss mailing list