[Dnsmasq-discuss] DNSSEC and Mozilla domains not working

Simon Kelley simon at thekelleys.org.uk
Thu Jul 14 22:22:37 BST 2016


On 12/07/16 00:17, mmmfotografie wrote:
> On 11-7-2016 23:08, Simon Kelley wrote:
>> I just tried all those domains using 2.76 and 8.8.8.8 upstream and all
>> behaved correctly. 194.109.9.99 won't talk to me, so I can't try that.
>>
>> The upstream is clearly answering the direct question OK, but the
>> stalling of some of the DNSSEC queries needed to verify it. That could
>> be an upstream problem, or a problem with the authoritative servers for
>> the domain. ftp.mozilla.org is signed, but it's a CNAME to
>> cloudfront.org, so the DS from .org proving that cloudfront.org is not
>> signed is also required.
>>
>> Are you still seeing the problem now, or has this resolved itself?
>>
>> Cheers,
>>
>> Simon.
> 
> Thanks Simon for your reply and testing. I have now tried with 8.8.8.8
> and I have the same problem.
> 
> I see that the DNSSEC on firefox.com and mozilla.com are now disabled
> and I don't get a "ad" on them when I use dig and the output of DNSmask
> states INSECURE. So maybe Mozilla is now working around that problem.
> 
> mozilla.org will not resolve on 8.8.8.8 or 194.109.9.9  and the
> ftp.mozilla goes indeed through Cloudfront bit is not secure.
> .
> .
> .
> I have been testing a few setting...a lot of settings and combinations
> in the past hours and have now way to get a good response from DNSmasq.
> 
> I first use "/dig +dnssec +multi mozilla.org @127.0.0.1/" which seems to
> have more patience in waiting for a response. DNSmasq seems to do only
> one try when using dig and not three as with nslookup. DNSmasq is
> thinking about four seconds and then give a valid response using dig.
> 
> dnsmasq: dnssec-query[DNSKEY] mozilla.org to 8.8.8.8
> dnsmasq: reply mozilla.org is DNSKEY keytag 22205, algo 7
> dnsmasq: reply mozilla.org is DNSKEY keytag 65337, algo 7
> dnsmasq: reply mozilla.org is DNSKEY keytag 44421, algo 7
> dnsmasq: reply mozilla.org is DNSKEY keytag 42422, algo 7
> dnsmasq: validation result is SECURE
> dnsmasq: reply mozilla.org is 63.245.215.20
> 
> So on my standard upstream server:
> dnsmasq: dnssec-query[DNSKEY] mozilla.org to 194.109.9.99
> dnsmasq: reply mozilla.org is DNSKEY keytag 65337, algo 7
> dnsmasq: reply mozilla.org is DNSKEY keytag 22205, algo 7
> dnsmasq: reply mozilla.org is DNSKEY keytag 44421, algo 7
> dnsmasq: reply mozilla.org is DNSKEY keytag 42422, algo 7
> dnsmasq: validation result is SECURE
> dnsmasq: reply mozilla.org is 63.245.215.20
> 
> Now the information is in the cache and a next request is instant.
> 
> Also ftp.mozilla.org is instant now but insecure:
> 
> dnsmasq: forwarded ftp.mozilla.org to 194.109.9.99
> dnsmasq: validation result is INSECURE
> dnsmasq: reply ftp.mozilla.org is <CNAME>
> dnsmasq: reply d34chcsvb7ug62.cloudfront.net is 52.85.250.4
> dnsmasq: query[AAAA] ftp.mozilla.org from 192.168.21.190
> dnsmasq: cached ftp.mozilla.org is <CNAME>
> dnsmasq: forwarded ftp.mozilla.org to 194.109.9.99
> dnsmasq: validation result is INSECURE
> dnsmasq: reply ftp.mozilla.org is <CNAME>
> 
> And if I don't use dig mozilla.org or ftp.mozilla.org before the
> nslookup, it times out again:
> 
> dnsmasq: reply . is DNSKEY keytag 46551, algo 8
> dnsmasq: reply . is DNSKEY keytag 19036, algo 8
> dnsmasq: reply org is DS keytag 9795, algo 7, digest 1
> dnsmasq: reply org is DS keytag 9795, algo 7, digest 2
> dnsmasq: dnssec-query[DS] mozilla.org to 194.109.9.99
> dnsmasq: dnssec-query[DNSKEY] org to 194.109.9.99
> dnsmasq: reply org is DNSKEY keytag 3177, algo 7
> dnsmasq: reply org is DNSKEY keytag 2097, algo 7
> dnsmasq: reply org is DNSKEY keytag 9795, algo 7
> dnsmasq: reply org is DNSKEY keytag 17883, algo 7
> dnsmasq: reply mozilla.org is DS keytag 44421, algo 7, digest 1
> dnsmasq: dnssec-query[DNSKEY] mozilla.org to 194.109.9.99
> dnsmasq: query[AAAA] ftp.mozilla.org from 192.168.21.190
> dnsmasq: forwarded ftp.mozilla.org to 194.109.9.99
> dnsmasq: dnssec-query[DNSKEY] mozilla.org to 194.109.9.99
> dnsmasq: query[A] ftp.mozilla.org from 192.168.21.190
> dnsmasq: forwarded ftp.mozilla.org to 194.109.9.99
> dnsmasq: dnssec-query[DNSKEY] mozilla.org to 194.109.9.99
> dnsmasq: query[AAAA] ftp.mozilla.org from 192.168.21.190
> dnsmasq: forwarded ftp.mozilla.org to 194.109.9.99
> dnsmasq: dnssec-query[DNSKEY] mozilla.org to 194.109.9.99
> 


So the problem seems to be that the reply to the query for DNSKEY on
mozilla.org is not being replied to in a reliable way.

One possibility is that the reply is quite large (886 bytes) and
probably larger than most DNS replies. It has been known for firewalls
to do crazy things like rejecting all DNS packets >512 bytes, so it's
worth exploring that a bit more.


What happens when you use dig to make the same query?

dig @8.8.8.8 dnskey mozilla.org
dig @194.109.9.99 dnskey mozilla.org


Cheers,

Simon.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20160714/ad0ac8fa/attachment.sig>


More information about the Dnsmasq-discuss mailing list