[Dnsmasq-discuss] DNSSEC failure for dagjeuitactie.nl
Simon Kelley
simon at thekelleys.org.uk
Sun Oct 28 11:13:39 GMT 2018
There's a CNAME at the root of the domain, which is not permissible, and
the root cause of the validation failure.
https://medium.freecodecamp.org/why-cant-a-domain-s-root-be-a-cname-8cbab38e5f5c
gives some reasons why this is not a good idea.
What actually happens is that dnsmasq makes a query for the DS record
for dagjeuitactie.nl and gets back the CNAME, rather than NSEC records
from the parenet proving that the DS doesn't work. It's arguable that
this is not sensible behaviour, but the it's what happens, and it makes
it impossible for dnsmasq to do validation.
The easiest way to fix this is almost certainly to fix the domain.
Cheers,
Simon.
On 26/10/2018 15:05, Willem Bargeman wrote:
> Hi Simon,
>
> I received a message that the website dagjeuitactie.nl
> <http://dagjeuitactie.nl> was not working. When I do a dig for this
> domain the status is SERVFAIL.
>
> dig dagjeuitactie.nl <http://dagjeuitactie.nl> @127.0.0.1
> <http://127.0.0.1> -p 5353
>
> ; <<>> DiG 9.10.3-P4-Ubuntu <<>> dagjeuitactie.nl
> <http://dagjeuitactie.nl> @127.0.0.1 <http://127.0.0.1> -p 5353
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 30367
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 1452
> ;; QUESTION SECTION:
> ;dagjeuitactie.nl <http://dagjeuitactie.nl>. IN A
>
> ;; Query time: 101 msec
> ;; SERVER: 127.0.0.1#5353(127.0.0.1)
> ;; WHEN: Fri Oct 26 15:50:50 CEST 2018
> ;; MSG SIZE rcvd: 45
>
> In the log file I can see the following.
>
> dnsmasq[5172]: query[A] dagjeuitactie.nl <http://dagjeuitactie.nl> from
> 127.0.0.1
> dnsmasq[5172]: forwarded dagjeuitactie.nl <http://dagjeuitactie.nl> to
> 127.0.1.1
> dnsmasq[5172]: validation dagjeuitactie.nl <http://dagjeuitactie.nl> is
> BOGUS
>
> A query using the Cloudflare or Google DNS servers is working.
> The domain name (dagjeuitactie.nl <http://dagjeuitactie.nl> and
> www.dagjeactie.nl <http://www.dagjeactie.nl>) is a CNAME
> for dagjeuit-web.queueup.eu <http://dagjeuit-web.queueup.eu>.
> Dagjeuitactie.nl is not DNSSEC enabled. However, the
> domain dagjeuit-web.queueup.eu <http://dagjeuit-web.queueup.eu> is
> DNSSEC enabled. However this record is also a CNAME to a AWS server.
>
> I'm not a DNSSEC expert but is this behavior correct? Is this a failure
> in Dnsmasq or is the domain not configured correctly.
>
> Thank you!
>
> Best regards,
> Willem Bargeman
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
More information about the Dnsmasq-discuss
mailing list