[Dnsmasq-discuss] dnsmasq treats Islands of Security as bogus
simon at thekelleys.org.uk
Tue Apr 4 22:24:04 BST 2017
Which version of dnsmasq are you using? I just tested this domain using
the development code, and got the correct result.
dnsmasq: query[A] patryk.one.pl from 127.0.0.1
dnsmasq: forwarded patryk.one.pl to 220.127.116.11
dnsmasq: forwarded patryk.one.pl to 18.104.22.168
dnsmasq: dnssec-query[DS] pl to 22.214.171.124
dnsmasq: dnssec-query[DNSKEY] . to 126.96.36.199
dnsmasq: reply . is DNSKEY keytag 61045, algo 8
dnsmasq: reply . is DNSKEY keytag 14796, algo 8
dnsmasq: reply . is DNSKEY keytag 19036, algo 8
dnsmasq: reply pl is DS keytag 2216, algo 8, digest 2
dnsmasq: dnssec-query[DS] one.pl to 188.8.131.52
dnsmasq: dnssec-query[DNSKEY] pl to 184.108.40.206
dnsmasq: reply pl is DNSKEY keytag 2216, algo 8
dnsmasq: reply pl is DNSKEY keytag 55609, algo 8
dnsmasq: reply pl is DNSKEY keytag 53575, algo 8
dnsmasq: reply pl is DNSKEY keytag 61674, algo 8
dnsmasq: reply one.pl is no DS
dnsmasq: validation result is INSECURE
dnsmasq: reply patryk.one.pl is 220.127.116.11
On 27/03/17 16:37, Patryk Szczygłowski wrote:
> I have domain signed with DNSSEC: patryk.one.pl <http://patryk.one.pl>
> The issue is, the parent one.pl <http://one.pl> is completely void of
> DNSSEC support (and it will probably never get fixed).
> - . is signed
> - .pl is signed, no DS for .one.pl <http://one.pl>
> - .one.pl <http://one.pl> is NOT signed, no DNSKEY, no DS for
> .patryk.one.pl <http://patryk.one.pl>
> - .patryk.one.pl <http://patryk.one.pl> is signed
> My domain is registered with dlv.isc.org <http://dlv.isc.org>, but this
> not important anymore, as they announced closing down.
> Have a look here:
> The issue is dnsmasq is returning BOGUS instead of INSECURE. In
> consequence the domain does not resolve.
> I believe it is in contradiction with RFC:
> It should mark BOGUS only if top-bottom validation determies DS in
> parent but missing DNSKEY in child.
> Current behaviour is promoting a race condition, when the domain owner
> enabled DNSSEC, but didn't upload DS to parent and/or it didn't propagate.
> The same situation was few years ago, when TLDs were gradually enabled,
> when for a while they were signed with DNSKEY without DS being set on
> parent, only to be put several months later. There are still unsigned
> TLDs and I think they will stop being resolved completely when this
> happens again.
> Google Public DNS behaviour is correct.
> Patryk Szczygłowski
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: OpenPGP digital signature
More information about the Dnsmasq-discuss