[Dnsmasq-discuss] DNSSEC BOGUS still replied to with IP

Simon Kelley simon at thekelleys.org.uk
Fri Mar 1 20:33:05 GMT 2019


On 01/03/2019 18:56, Dominik DL6ER wrote:
> Dear list members,
> 
> to my understanding, dnsmasq should not return any valid records for BOGUS domains.
> However, using Cloudflare (1.1.1.1 / 1.0.0.1) as upstream, I see a domains being
> validated as BOGUS in the log, however, the A query still succeeds and the client
> receives valid IP addresses. I'm using dnsmasq v2.80.
> 
> Corresponding log excerpt:
> 
> Mar  1 12:07:43 dnsmasq[28682]: query[A] www.vp4.navy.mil from 192.168.0.135
> Mar  1 12:07:43 dnsmasq[28682]: forwarded www.vp4.navy.mil to 1.0.0.1
> Mar  1 12:07:43 dnsmasq[28682]: dnssec-query[DS] mil to 1.0.0.1
> Mar  1 12:07:43 dnsmasq[28682]: reply mil is DS keytag 59896, algo 8, digest 2
> Mar  1 12:07:43 dnsmasq[28682]: reply mil is DS keytag 59896, algo 8, digest 1
> Mar  1 12:07:43 dnsmasq[28682]: dnssec-query[DS] navy.mil to 1.0.0.1
> Mar  1 12:07:43 dnsmasq[28682]: dnssec-query[DNSKEY] mil to 1.0.0.1
> Mar  1 12:07:43 dnsmasq[28682]: reply mil is DNSKEY keytag 59896, algo 8
> Mar  1 12:07:43 dnsmasq[28682]: reply mil is DNSKEY keytag 10428, algo 8
> Mar  1 12:07:43 dnsmasq[28682]: reply mil is DNSKEY keytag 15450, algo 8
> Mar  1 12:07:43 dnsmasq[28682]: reply navy.mil is DS keytag 33826, algo 8, digest 2
> Mar  1 12:07:43 dnsmasq[28682]: reply navy.mil is DS keytag 33826, algo 8, digest 1
> Mar  1 12:07:43 dnsmasq[28682]: dnssec-query[DS] vp4.navy.mil to 1.0.0.1
> Mar  1 12:07:43 dnsmasq[28682]: Insecure DS reply received, do upstream DNS servers support DNSSEC?
> Mar  1 12:07:43 dnsmasq[28682]: reply vp4.navy.mil is BOGUS DS
> Mar  1 12:07:43 dnsmasq[28682]: validation www.vp4.navy.mil is BOGUS
> Mar  1 12:07:43 dnsmasq[28682]: reply www.vp4.navy.mil is <CNAME>
> Mar  1 12:07:43 dnsmasq[28682]: reply open-elb-prod-277276106.us-east-1.elb.amazonaws.com is 34.196.13.230
> Mar  1 12:07:43 dnsmasq[28682]: reply open-elb-prod-277276106.us-east-1.elb.amazonaws.com is 52.0.22.76
> 
> Is this intended behavior?


Is the client actually getting the IP addresses, or are you assuming
that it is based on the log? I just ran the same query and got the same
logs, but the reply which went back to the client has a SERVFAIL return
code, and an empty answer section.


What is happening here is that 1.0.0.1 is returning a valid but unsigned
answer to the original query, which is being logged. (You can think of
the the "reply" noun is the logs as "reply from 1.0.0.1", not "reply to
192.168.0.135".) Dnsmasq fails to prove that an unsigned reply is OK,
and therefore labels it as bogus, and turns it into a SERVFAIL reply.

What's worrying is that Cloudflare and Google are both quite happy that
the answer is _not_ bogus, but dnsmasq thinks it is. I shall poke around
some more to try and understand that.


Simon.





More information about the Dnsmasq-discuss mailing list