[Dnsmasq-discuss] DNSSEC failure after some time

Hamish Moffatt hamish at cloud.net.au
Wed Jun 28 02:25:41 BST 2017


I've recently enabled DNSSEC on dnsmasq, and signed a zone that I work 
with a lot.

It works for a while (dig shows the AD (authentic data) flag on signed 
zones), but after about a week, I start getting lookup failures for that 
zone until I restart dnsmasq. Then it works for another week. The DNSSEC 
verifier at https://dnssec-debugger.verisignlabs.com/ says the domain is 
fine.

There's nothing in the log file, though I am not logging all queries.


I have version 2.75. It's baked into my router firmware (Tomato Shibby) 
so I can't easily try the very latest. The DNSSEC-related part of my 
config is

dnssec

conf-file=/etc/trust-anchors.conf


And the trust-anchors.conf says

trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
trust-anchor=.,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D



Jun 28 10:11:54 router daemon.info dnsmasq[9632]: started, version 2.76 
cachesize 4096
Jun 28 10:11:54 router daemon.info dnsmasq[9632]: compile time options: 
IPv6 GNU-getopt no-RTC no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP 
no-conntrack ipset Tomato-helper a
uth DNSSEC loop-detect no-inotify
Jun 28 10:11:54 router daemon.info dnsmasq[9632]: DNSSEC validation enabled
Jun 28 10:11:54 router daemon.info dnsmasq[9632]: asynchronous logging 
enabled, queue limit is 5 messages
Jun 28 10:11:54 router daemon.info dnsmasq-dhcp[9632]: DHCP, IP range 
192.168.42.20 -- 192.168.42.254, lease time 1d
Jun 28 10:11:54 router daemon.info dnsmasq[9632]: reading 
/etc/resolv.dnsmasq
Jun 28 10:11:54 router daemon.info dnsmasq[9632]: using nameserver 
8.8.8.8#53
Jun 28 10:11:54 router daemon.info dnsmasq[9632]: using nameserver 
8.8.4.4#53
Jun 28 10:11:54 router daemon.info dnsmasq[9632]: read /etc/hosts - 2 
addresses
Jun 28 10:11:54 router daemon.info dnsmasq[9632]: read 
/etc/dnsmasq/hosts/hosts - 12 addresses
Jun 28 10:11:54 router daemon.info dnsmasq-dhcp[9632]: read 
/etc/dnsmasq/dhcp/dhcp-hosts


Is there anything else I can check?



Thanks


Hamish




More information about the Dnsmasq-discuss mailing list