[Dnsmasq-discuss] Insecure DS reply warning - false positives?
Kevin Darbyshire-Bryant
kevin at darbyshire-bryant.me.uk
Mon May 13 10:40:46 BST 2019
Hi All,
Part of the reason for submitting http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2019q2/013026.html "[PATCH] dnssec: add hostname info to insecure DS warning” was to easily find out what domain was prompting the warning.
Some of my mystery ‘Insecure DS reply’ turns out to be this:
Mon May 13 09:57:27 2019 daemon.warn dnsmasq[20911]: Insecure DS reply received for 168.192.in-addr.arpa, check domain configuration and upstream DNS server DNSSEC support
Mon May 13 09:57:27 2019 daemon.warn dnsmasq[20911]: Insecure DS reply received for 168.192.in-addr.arpa, check domain configuration and upstream DNS server DNSSEC support
Mon May 13 09:57:27 2019 daemon.warn dnsmasq[20911]: Insecure DS reply received for 168.192.in-addr.arpa, check domain configuration and upstream DNS server DNSSEC support
Mon May 13 09:58:57 2019 daemon.warn dnsmasq[20911]: Insecure DS reply received for 168.192.in-addr.arpa, check domain configuration and upstream DNS server DNSSEC support
Mon May 13 09:58:57 2019 daemon.warn dnsmasq[20911]: Insecure DS reply received for 168.192.in-addr.arpa, check domain configuration and upstream DNS server DNSSEC support
Mon May 13 09:58:57 2019 daemon.warn dnsmasq[20911]: Insecure DS reply received for 168.192.in-addr.arpa, check domain configuration and upstream DNS server DNSSEC support
Is this a genuine configuration error on my/upstream’s part or is it false positive log spam?
(I think) The relevant bits from dnsmasq config:
dnssec
dnssec-check-unsigned
Upstream servers are Google’s 8.8.8.8 & friends.
Trust anchors:
trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
trust-anchor=.,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D
Cheers,
Kevin D-B
gpg: 012C ACB2 28C6 C53E 9775 9123 B3A2 389B 9DE2 334A
More information about the Dnsmasq-discuss
mailing list