[Dnsmasq-discuss] Cannot look up disa.mil (dnssec related)

Dominik DL6ER dl6er at dl6er.de
Tue Oct 23 06:38:54 BST 2018


Hey all,

it seems to be working fine for me with dnsmasq v2.80. I'm also running
a local unbound instance which is why queries are getting forwarded to
127.0.0.1.

$ dig disa.mil @127.0.0.1 +dnssec +short
156.112.108.76
A 8 2 7200 20181117145327 20181018145327 52983 disa.mil.
dMS5WbQ5xJ0HuCBPZUkuoshf0A2n1tvxA75smhcFZNS5SHSOA0zsQaSc
YOzNdu5gH6qFXA7TbKhPYN0RcPD+vVcmtfbzv3eJZfh4343IXlBznG6w
aLaLt+kI6GGnPQ7skNWOcO4yLct+yaeNxTT95CZnHtwRUx3vzGHS3dJF GYc=

relevant dnsmasq log excerpt:
Oct 23 07:29:54 dnsmasq[19772]: 1 127.0.0.1/49375 query[A] disa.mil
from 127.0.0.1
Oct 23 07:29:54 dnsmasq[19772]: 1 127.0.0.1/49375 forwarded disa.mil to
127.0.0.1
Oct 23 07:29:54 dnsmasq[19772]: * 127.0.0.1/49375 dnssec-query[DS] mil
to 127.0.0.1
Oct 23 07:29:54 dnsmasq[19772]: * 127.0.0.1/49375 dnssec-query[DNSKEY]
. to 127.0.0.1
Oct 23 07:29:54 dnsmasq[19772]: * 127.0.0.1/49375 reply . is DNSKEY
keytag 2134, algo 8
Oct 23 07:29:54 dnsmasq[19772]: * 127.0.0.1/49375 reply . is DNSKEY
keytag 19036, algo 8
Oct 23 07:29:54 dnsmasq[19772]: * 127.0.0.1/49375 reply . is DNSKEY
keytag 20326, algo 8
Oct 23 07:29:54 dnsmasq[19772]: * 127.0.0.1/49375 reply mil is DS
keytag 59896, algo 8, digest 2
Oct 23 07:29:54 dnsmasq[19772]: * 127.0.0.1/49375 reply mil is DS
keytag 59896, algo 8, digest 1
Oct 23 07:29:54 dnsmasq[19772]: * 127.0.0.1/49375 dnssec-query[DS]
disa.mil to 127.0.0.1
Oct 23 07:29:54 dnsmasq[19772]: * 127.0.0.1/49375 dnssec-query[DNSKEY]
mil to 127.0.0.1
Oct 23 07:29:54 dnsmasq[19772]: * 127.0.0.1/49375 reply mil is DNSKEY
keytag 59896, algo 8
Oct 23 07:29:54 dnsmasq[19772]: * 127.0.0.1/49375 reply mil is DNSKEY
keytag 39600, algo 8
Oct 23 07:29:54 dnsmasq[19772]: * 127.0.0.1/49375 reply mil is DNSKEY
keytag 693, algo 8
Oct 23 07:29:54 dnsmasq[19772]: * 127.0.0.1/49375 reply disa.mil is DS
keytag 8665, algo 8, digest 2
Oct 23 07:29:54 dnsmasq[19772]: * 127.0.0.1/49375 reply disa.mil is DS
keytag 8665, algo 8, digest 1
Oct 23 07:29:54 dnsmasq[19772]: * 127.0.0.1/49375 dnssec-query[DNSKEY]
disa.mil to 127.0.0.1
Oct 23 07:29:54 dnsmasq[19772]: * 127.0.0.1/49375 reply disa.mil is
DNSKEY keytag 52983, algo 8
Oct 23 07:29:54 dnsmasq[19772]: * 127.0.0.1/49375 reply disa.mil is
DNSKEY keytag 8665, algo 8
Oct 23 07:29:54 dnsmasq[19772]: 1 127.0.0.1/49375 validation result is
SECURE
Oct 23 07:29:54 dnsmasq[19772]: 1 127.0.0.1/49375 reply disa.mil is
156.112.108.76

Best,
Dominik

On Mon, 2018-10-22 at 23:10 +0100, Simon Kelley wrote:
> On 22/10/2018 17:56, Craig Andrews wrote:
> > I'm unable to look up *.disa.mil when using dnsmasq - I'm hoping
> > that we
> > can figure out why that is.
> > 
> > I have dnsmasq configured to use Cloudflare's 1.1.1.1 as its
> > upstream
> > DNS server; dnsmasq is running on 192.168.0.1.
> > 
> > Here are some a couple tests demonstrating the problem:
> > ------
> > $ dig disa.mil @192.168.0.1 +dnssec +short
> > <no output>
> > $ dig disa.mil @8.8.8.8 +dnssec +short
> > 156.112.108.76
> > A 8 2 7200 20181117145327 20181018145327 52983 disa.mil.
> > dMS5WbQ5xJ0HuCBPZUkuoshf0A2n1tvxA75smhcFZNS5SHSOA0zsQaSc
> > YOzNdu5gH6qFXA7TbKhPYN0RcPD+vVcmtfbzv3eJZfh4343IXlBznG6w
> > aLaLt+kI6GGnPQ7skNWOcO4yLct+yaeNxTT95CZnHtwRUx3vzGHS3dJF GYc=
> > [candrews at craigatwork vars]$ dig disa.mil @1.1.1.1 +dnssec +short
> > 156.112.108.76
> > ------
> > So looking it up using Google's 8.8.8.8 or Cloudflare's 1.1.1.1
> > with
> > dnssec works, but not with dnsmasq.
> > 
> > ------
> > # dnsmasq --version
> > Dnsmasq version 2.80test3  Copyright (c) 2000-2018 Simon Kelley
> > Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP
> > DHCPv6
> > no-Lua TFTP conntrack ipset auth DNSSEC no-ID loop-detect inotify
> > dumpfile
> > 
> > This software comes with ABSOLUTELY NO WARRANTY.
> > Dnsmasq is free software, and you are welcome to redistribute it
> > under the terms of the GNU General Public License, version 2 or 3.
> > ------
> > 
> > Thanks in advance for your help and for this great software,
> > ~Craig
> 
> I can reproduce this, and checking with DNSviz doesn't show any
> problems
> with the domain, so this could well be a dnsmasq/DNSSEC problem.
> 
> I'll try and find time to do some forensics on it in the next day or
> two.
> 
> 
> Cheers,
> 
> Simon.
> 
> 
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss




More information about the Dnsmasq-discuss mailing list