[Dnsmasq-discuss] Strange replies for DNSSEC domains
mmmfotografie
info at mmmfotografie.nl
Wed Jul 13 20:15:20 BST 2016
Hi, I just had a problem when I wanted to visit a site and when I looked
it up in the log-file I recognize a strange behavior, that I had before
when I had wen I had the "DNSSEC/TLSA Validator" as plug-in of Firefox.
It stopped completely browsing for a minute by becoming unresponsive.
This was only when I used DNSmasq and direct upstream replies went
without a hitch.
The bit of log underneath was without any plug-in so a plain request.
You see that the domain name is split up in parts and it first returns
the dot and then the org part.
> forwarded www.raspberrypi.org to 194.109.9.99
> dnssec-query[DS] org to 194.109.9.99
> dnssec-query[DNSKEY] . to 194.109.9.99
> reply . is DNSKEY keytag 46551, algo 8
> reply . is DNSKEY keytag 19036, algo 8
> reply org is DS keytag 9795, algo 7, digest 1
> reply org is DS keytag 9795, algo 7, digest 2
> dnssec-query[DS] raspberrypi.org to 194.109.9.99
> dnssec-query[DNSKEY] org to 194.109.9.99
> reply org is DNSKEY keytag 3177, algo 7
> reply org is DNSKEY keytag 2097, algo 7
> reply org is DNSKEY keytag 17883, algo 7
> reply org is DNSKEY keytag 9795, algo 7
This bit is directly underneath and to me this looks correct:
> reply raspberrypi.org is DS keytag 21912, algo 10, digest 2
> dnssec-query[DNSKEY] raspberrypi.org to 194.109.9.99
> reply raspberrypi.org is DNSKEY keytag 23657, algo 10
> reply raspberrypi.org is DNSKEY keytag 21912, algo 10
> reply raspberrypi.org is DNSKEY keytag 12500, algo 10
> validation result is SECURE
Going to try the 8.8.8.8 with the plug-in and see if it can be
replicated on a other nameserver.
More information about the Dnsmasq-discuss
mailing list