[Dnsmasq-discuss] DNSSEC BOGUS still replied to with IP

Simon Kelley simon at thekelleys.org.uk
Fri Mar 1 21:01:18 GMT 2019


On 01/03/2019 20:33, Simon Kelley wrote:

> 
> What's worrying is that Cloudflare and Google are both quite happy that
> the answer is _not_ bogus, but dnsmasq thinks it is. I shall poke around
> some more to try and understand that.
> 
> 
>

Answering myself, this appears to be a cloudflare bug, which I've seen
before. Sometimes the Cloudflare servers give a correct answer to a
query for a DS record at vp4.navy.mil with proof that such a record
doesn't exist.

; <<>> DiG 9.10.3-P4-Ubuntu <<>> +dnssec @1.0.0.1 DS vp4.navy.mil
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56156
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1452
;; QUESTION SECTION:
;vp4.navy.mil.			IN	DS

;; AUTHORITY SECTION:
navy.mil.		2149	IN	SOA	ns1.csd.disa.mil. hostmaster.navy.mil. 2019022501
7200 900 2592000 3600
navy.mil.		2149	IN	RRSIG	SOA 8 2 7200 20190327183033 20190225183033 3624
navy.mil. yXqgMb/KaKhAFD+nK/rOWxRA+e0SNcxFNMduE9JCOF9CLbmEEY79hH0/
aDHC6F+0R3AYRhk3FrZVrZcZTDnbNjHgX8VFI+ffYGJyQ1xL929Fr4pv
W+ZBnQlMyZ/XNHcOD23h/03YTP9ZBl40Ham+FdAFAxeHPGieWSzO/g4i mtw=
j8j5otdlg2trckk1ihstd584fjv5uh4n.navy.mil. 2429	IN NSEC3 1 0 10
32313032434343 J8UPVKMCB2UQO4TIS8VJACGU4JIFPAFI NS
j8j5otdlg2trckk1ihstd584fjv5uh4n.navy.mil. 2429	IN RRSIG NSEC3 8 3 3600
20190327183033 20190225183033 3624 navy.mil.
S+Y4RODqxYLEQML5+5qxUk2bp/opzKwinQMrlDufegat4ElU+Cby/tUG
Mbew4tYdZFMmMS3G6zGE2xA+zC0Doa3iTK4qYnQ2wHkqj08nwrCi1y3z
ruLw8GMowcAgtjc5NtkG+T94N2MiWFM64AqoNeFzGOcfrnUlDS4h1r9l TC4=

;; Query time: 103 msec
;; SERVER: 1.0.0.1#53(1.0.0.1)
;; WHEN: Fri Mar 01 20:46:33 GMT 2019
;; MSG SIZE  rcvd: 523


But then if you repeat exactly the same query and get back the same
answer, but without the required DNSSEC records as proof.


; <<>> DiG 9.10.3-P4-Ubuntu <<>> +dnssec @1.0.0.1 DS vp4.navy.mil
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59281
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1452
;; QUESTION SECTION:
;vp4.navy.mil.			IN	DS

;; AUTHORITY SECTION:
navy.mil.		3306	IN	SOA	ns1.csd.disa.mil. hostmaster.navy.mil. 2019022501
7200 900 2592000 3600

;; Query time: 173 msec
;; SERVER: 1.0.0.1#53(1.0.0.1)
;; WHEN: Fri Mar 01 20:46:35 GMT 2019
;; MSG SIZE  rcvd: 106


If dnsmasq gets the second form, it has no choice but to declare the
original answer bogus.

Running the DS query multiple times to both 1.1.1.1 and 1.0.0.1, the
answers seem to be pretty much randomly distributed between correct and
incorrect, with about 0.5 probability.  8.8.8.8 gets it right every time.

Doing the same thing with a DS query for thekelleys.org.uk, (as another
example of an unsigned subomain of a signed, NSEC3-using domain) gives
the correct answer all the time, so this looks like some interaction
between that particular domain and Cloudflare.

Simon.




More information about the Dnsmasq-discuss mailing list