[Dnsmasq-discuss] DNSSEC failure after some time

Hamish Moffatt hamish at cloud.net.au
Mon Jul 3 09:35:14 BST 2017 

On 29/06/17 09:42, Hamish Moffatt wrote:
> On 29/06/17 07:05, Simon Kelley wrote:
>> Your text says 2.75, but the log says 2.76. There's a significant
>> difference between the two in DNSSEC code.
>>
>> First thing to do is to turn on --log-queries and arrange for the (quite
>> large) logs to go somewhere safe, if the router has limited storage.
>> That should give you information about why the validation is failing.
>>
>
> I meant 2.76. I will start logging and report back if I see the 
> failure again (but two weeks in a row now). 

This just happened again. Here are the logs from a couple of DNS lookups 
after it failed. I redacted the hostnames and IPs, hope it still makes 
sense.


ul  3 16:58:36 router daemon.info dnsmasq[10149]: query[A] foo2.foo.com 
from 192.168.42.2
Jul  3 16:58:36 router daemon.info dnsmasq[10149]: forwarded 
foo2.foo.com to 8.8.4.4
Jul  3 16:58:37 router daemon.info dnsmasq[10149]: query[A] foo2.foo.com 
from 192.168.42.2
Jul  3 16:58:37 router daemon.info dnsmasq[10149]: forwarded 
foo2.foo.com to 8.8.4.4
Jul  3 16:58:37 router daemon.info dnsmasq[10149]: dnssec-query[DNSKEY] 
foo.com to 8.8.4.4
Jul  3 16:58:37 router daemon.info dnsmasq[10149]: reply foo2.foo.com is 
<CNAME>
Jul  3 16:58:37 router daemon.info dnsmasq[10149]: reply foo.com is 2.2.2.2
Jul  3 16:58:37 router daemon.info dnsmasq[11219]: query[A] foo2.foo.com 
from 192.168.42.2
Jul  3 16:58:38 router daemon.info dnsmasq[11219]: forwarded 
foo2.foo.com to 8.8.4.4
Jul  3 16:58:38 router daemon.info dnsmasq[11219]: dnssec-query[DNSKEY] 
foo.com to 8.8.4.4
Jul  3 16:58:38 router daemon.info dnsmasq[11219]: validation 
foo2.foo.com is ABANDONED
Jul  3 16:58:38 router daemon.info dnsmasq[11219]: reply foo2.foo.com is 
<CNAME>
Jul  3 16:58:38 router daemon.info dnsmasq[11219]: reply foo.com is 2.2.2.2
Jul  3 16:58:38 router daemon.info dnsmasq[10149]: query[A] foo2.foo.com 
from 192.168.42.2
Jul  3 16:58:38 router daemon.info dnsmasq[10149]: forwarded 
foo2.foo.com to 8.8.4.4
Jul  3 16:58:38 router daemon.info dnsmasq[10149]: dnssec-query[DNSKEY] 
foo.com to 8.8.4.4
Jul  3 16:58:38 router daemon.info dnsmasq[10149]: reply foo2.foo.com is 
<CNAME>
Jul  3 16:58:38 router daemon.info dnsmasq[10149]: reply foo.com is 2.2.2.2
Jul  3 16:58:38 router daemon.info dnsmasq[10149]: dnssec-query[DNSKEY] 
foo.com to 8.8.4.4
Jul  3 16:58:38 router daemon.info dnsmasq[10149]: reply foo2.foo.com is 
<CNAME>
Jul  3 16:58:38 router daemon.info dnsmasq[10149]: reply foo.com is 2.2.2.2
Jul  3 16:58:38 router daemon.info dnsmasq[11220]: query[A] foo2.foo.com 
from 192.168.42.2
Jul  3 16:58:38 router daemon.info dnsmasq[11220]: forwarded 
foo2.foo.com to 8.8.4.4
Jul  3 16:58:38 router daemon.info dnsmasq[11220]: dnssec-query[DNSKEY] 
foo.com to 8.8.4.4
Jul  3 16:58:38 router daemon.info dnsmasq[11220]: validation 
foo2.foo.com is ABANDONED
Jul  3 16:58:38 router daemon.info dnsmasq[11220]: reply foo2.foo.com is 
<CNAME>
Jul  3 16:58:38 router daemon.info dnsmasq[11220]: reply foo.com is 2.2.2.2
Jul  3 16:58:38 router daemon.info dnsmasq[10149]: query[A] 
foo2.foo.com.cloud.net.au from 192.168.42.2
Jul  3 16:58:38 router daemon.info dnsmasq[10149]: forwarded 
foo2.foo.com.cloud.net.au to 8.8.4.4
Jul  3 16:58:38 router daemon.info dnsmasq[10149]: validation result is 
INSECURE
Jul  3 16:58:38 router daemon.info dnsmasq[10149]: reply 
foo2.foo.com.cloud.net.au is NXDOMAIN

Jul  3 17:00:48 router daemon.info dnsmasq[11425]: dnssec-query[DNSKEY] 
foo.com to 8.8.8.8
Jul  3 17:00:48 router daemon.info dnsmasq[11425]: validation 
dev.foo.com is ABANDONED
Jul  3 17:00:48 router daemon.info dnsmasq[11425]: reply dev.foo.com is 
<CNAME>
Jul  3 17:00:48 router daemon.info dnsmasq[11425]: reply 
office-gw.foo.com.au is 1.1.1.1
Jul  3 17:00:48 router daemon.info dnsmasq[10149]: query[A] 
dev.foo.com.cloud.net.au from 192.168.42.2
Jul  3 17:00:48 router daemon.info dnsmasq[10149]: cached 
dev.foo.com.cloud.net.au is NXDOMAIN
Jul  3 17:00:53 router daemon.info dnsmasq[10149]: query[A] 
docs.google.com from 192.168.42.2
Jul  3 17:00:53 router daemon.info dnsmasq[10149]: forwarded 
docs.google.com to 8.8.8.8
Jul  3 17:00:53 router daemon.info dnsmasq[10149]: validation result is 
INSECURE
Jul  3 17:00:53 router daemon.info dnsmasq[10149]: reply docs.google.com 
is 216.58.200.110
Jul  3 17:01:02 router daemon.info dnsmasq[10149]: query[A] foo1.foo.com 
from 192.168.42.2
Jul  3 17:01:02 router daemon.info dnsmasq[10149]: forwarded 
foo1.foo.com to 8.8.8.8
Jul  3 17:01:02 router daemon.info dnsmasq[10149]: dnssec-query[DNSKEY] 
foo.com to 8.8.8.8
Jul  3 17:01:03 router daemon.info dnsmasq[10149]: reply foo1.foo.com is 
2.2.2.2
Jul  3 17:01:03 router daemon.info dnsmasq[11427]: query[A] foo1.foo.com 
from 192.168.42.2
Jul  3 17:01:03 router daemon.info dnsmasq[11427]: forwarded 
foo1.foo.com to 8.8.8.8
Jul  3 17:01:03 router daemon.info dnsmasq[11427]: dnssec-query[DNSKEY] 
foo.com to 8.8.8.8
Jul  3 17:01:03 router daemon.info dnsmasq[11427]: validation 
foo1.foo.com is ABANDONED
Jul  3 17:01:03 router daemon.info dnsmasq[11427]: reply foo1.foo.com is 
2.2.2.2


Hamish

More information about the Dnsmasq-discuss mailing list