[Dnsmasq-discuss] DNSSEC BOGUS still replied to with IP

Dominik DL6ER dl6er at dl6er.de
Fri Mar 1 22:11:21 GMT 2019


Hey Simon,

I was assuming dnsmasq was sending the address to the client as it was able to 
resolve the page (as in able to access it). However, this could very well have 
been caused by the client sending out multiple queries and at least one of the 
were answered with IPs.

This seems to be the exact situation DNSSEC was created for. CloudFlare is
trying to provide information that is not accurate and should be flagged BOGUS
so there is no dnsmasq bug here. Maybe logging was a bit misleading but I should
have paid more attention to the replies to the client.

Thanks!

Best regards,
Dominik

On Fri, 2019-03-01 at 21:01 +0000, Simon Kelley wrote:
> On 01/03/2019 20:33, Simon Kelley wrote:
> 
> > What's worrying is that Cloudflare and Google are both quite happy that
> > the answer is _not_ bogus, but dnsmasq thinks it is. I shall poke around
> > some more to try and understand that.
> > 
> > 
> > 
> 
> Answering myself, this appears to be a cloudflare bug, which I've seen
> before. Sometimes the Cloudflare servers give a correct answer to a
> query for a DS record at vp4.navy.mil with proof that such a record
> doesn't exist




More information about the Dnsmasq-discuss mailing list