[Dnsmasq-discuss] DNSSEC failure after some time
Hamish Moffatt
hamish at cloud.net.au
Mon Jul 3 09:35:14 BST 2017
On 29/06/17 09:42, Hamish Moffatt wrote:
> On 29/06/17 07:05, Simon Kelley wrote:
>> Your text says 2.75, but the log says 2.76. There's a significant
>> difference between the two in DNSSEC code.
>>
>> First thing to do is to turn on --log-queries and arrange for the (quite
>> large) logs to go somewhere safe, if the router has limited storage.
>> That should give you information about why the validation is failing.
>>
>
> I meant 2.76. I will start logging and report back if I see the
> failure again (but two weeks in a row now).
This just happened again. Here are the logs from a couple of DNS lookups
after it failed. I redacted the hostnames and IPs, hope it still makes
sense.
ul 3 16:58:36 router daemon.info dnsmasq[10149]: query[A] foo2.foo.com
from 192.168.42.2
Jul 3 16:58:36 router daemon.info dnsmasq[10149]: forwarded
foo2.foo.com to 8.8.4.4
Jul 3 16:58:37 router daemon.info dnsmasq[10149]: query[A] foo2.foo.com
from 192.168.42.2
Jul 3 16:58:37 router daemon.info dnsmasq[10149]: forwarded
foo2.foo.com to 8.8.4.4
Jul 3 16:58:37 router daemon.info dnsmasq[10149]: dnssec-query[DNSKEY]
foo.com to 8.8.4.4
Jul 3 16:58:37 router daemon.info dnsmasq[10149]: reply foo2.foo.com is
<CNAME>
Jul 3 16:58:37 router daemon.info dnsmasq[10149]: reply foo.com is 2.2.2.2
Jul 3 16:58:37 router daemon.info dnsmasq[11219]: query[A] foo2.foo.com
from 192.168.42.2
Jul 3 16:58:38 router daemon.info dnsmasq[11219]: forwarded
foo2.foo.com to 8.8.4.4
Jul 3 16:58:38 router daemon.info dnsmasq[11219]: dnssec-query[DNSKEY]
foo.com to 8.8.4.4
Jul 3 16:58:38 router daemon.info dnsmasq[11219]: validation
foo2.foo.com is ABANDONED
Jul 3 16:58:38 router daemon.info dnsmasq[11219]: reply foo2.foo.com is
<CNAME>
Jul 3 16:58:38 router daemon.info dnsmasq[11219]: reply foo.com is 2.2.2.2
Jul 3 16:58:38 router daemon.info dnsmasq[10149]: query[A] foo2.foo.com
from 192.168.42.2
Jul 3 16:58:38 router daemon.info dnsmasq[10149]: forwarded
foo2.foo.com to 8.8.4.4
Jul 3 16:58:38 router daemon.info dnsmasq[10149]: dnssec-query[DNSKEY]
foo.com to 8.8.4.4
Jul 3 16:58:38 router daemon.info dnsmasq[10149]: reply foo2.foo.com is
<CNAME>
Jul 3 16:58:38 router daemon.info dnsmasq[10149]: reply foo.com is 2.2.2.2
Jul 3 16:58:38 router daemon.info dnsmasq[10149]: dnssec-query[DNSKEY]
foo.com to 8.8.4.4
Jul 3 16:58:38 router daemon.info dnsmasq[10149]: reply foo2.foo.com is
<CNAME>
Jul 3 16:58:38 router daemon.info dnsmasq[10149]: reply foo.com is 2.2.2.2
Jul 3 16:58:38 router daemon.info dnsmasq[11220]: query[A] foo2.foo.com
from 192.168.42.2
Jul 3 16:58:38 router daemon.info dnsmasq[11220]: forwarded
foo2.foo.com to 8.8.4.4
Jul 3 16:58:38 router daemon.info dnsmasq[11220]: dnssec-query[DNSKEY]
foo.com to 8.8.4.4
Jul 3 16:58:38 router daemon.info dnsmasq[11220]: validation
foo2.foo.com is ABANDONED
Jul 3 16:58:38 router daemon.info dnsmasq[11220]: reply foo2.foo.com is
<CNAME>
Jul 3 16:58:38 router daemon.info dnsmasq[11220]: reply foo.com is 2.2.2.2
Jul 3 16:58:38 router daemon.info dnsmasq[10149]: query[A]
foo2.foo.com.cloud.net.au from 192.168.42.2
Jul 3 16:58:38 router daemon.info dnsmasq[10149]: forwarded
foo2.foo.com.cloud.net.au to 8.8.4.4
Jul 3 16:58:38 router daemon.info dnsmasq[10149]: validation result is
INSECURE
Jul 3 16:58:38 router daemon.info dnsmasq[10149]: reply
foo2.foo.com.cloud.net.au is NXDOMAIN
Jul 3 17:00:48 router daemon.info dnsmasq[11425]: dnssec-query[DNSKEY]
foo.com to 8.8.8.8
Jul 3 17:00:48 router daemon.info dnsmasq[11425]: validation
dev.foo.com is ABANDONED
Jul 3 17:00:48 router daemon.info dnsmasq[11425]: reply dev.foo.com is
<CNAME>
Jul 3 17:00:48 router daemon.info dnsmasq[11425]: reply
office-gw.foo.com.au is 1.1.1.1
Jul 3 17:00:48 router daemon.info dnsmasq[10149]: query[A]
dev.foo.com.cloud.net.au from 192.168.42.2
Jul 3 17:00:48 router daemon.info dnsmasq[10149]: cached
dev.foo.com.cloud.net.au is NXDOMAIN
Jul 3 17:00:53 router daemon.info dnsmasq[10149]: query[A]
docs.google.com from 192.168.42.2
Jul 3 17:00:53 router daemon.info dnsmasq[10149]: forwarded
docs.google.com to 8.8.8.8
Jul 3 17:00:53 router daemon.info dnsmasq[10149]: validation result is
INSECURE
Jul 3 17:00:53 router daemon.info dnsmasq[10149]: reply docs.google.com
is 216.58.200.110
Jul 3 17:01:02 router daemon.info dnsmasq[10149]: query[A] foo1.foo.com
from 192.168.42.2
Jul 3 17:01:02 router daemon.info dnsmasq[10149]: forwarded
foo1.foo.com to 8.8.8.8
Jul 3 17:01:02 router daemon.info dnsmasq[10149]: dnssec-query[DNSKEY]
foo.com to 8.8.8.8
Jul 3 17:01:03 router daemon.info dnsmasq[10149]: reply foo1.foo.com is
2.2.2.2
Jul 3 17:01:03 router daemon.info dnsmasq[11427]: query[A] foo1.foo.com
from 192.168.42.2
Jul 3 17:01:03 router daemon.info dnsmasq[11427]: forwarded
foo1.foo.com to 8.8.8.8
Jul 3 17:01:03 router daemon.info dnsmasq[11427]: dnssec-query[DNSKEY]
foo.com to 8.8.8.8
Jul 3 17:01:03 router daemon.info dnsmasq[11427]: validation
foo1.foo.com is ABANDONED
Jul 3 17:01:03 router daemon.info dnsmasq[11427]: reply foo1.foo.com is
2.2.2.2
Hamish
More information about the Dnsmasq-discuss
mailing list