[Dnsmasq-discuss] DNSSEC validation failing on Cloudflare test domain

Hamish Moffatt hamish at moffatt.email
Wed Jul 17 06:41:33 BST 2019


Hi,

I'm trying to enable DNSSEC validation in dnsmasq 2.80, on my OpenWRT 
router. For upstream, I'm using 1.1.1.1. With DNSSEC validation on, when 
I visit the Cloudflare test site 
https://www.cloudflare.com/ssl/encrypted-sni/ , it says it can't 
determine if I have secure DNS enabled.


It's trying to look up 
60bb35df-3fe6-47fd-9912-9c43cbb67cdd.is-cf.cloudflareresolve.com, which 
is failing. dnsmasq is logging:

Wed Jul 17 15:24:27 2019 daemon.warn dnsmasq[5733]: Insecure DS reply 
received, do upstream DNS servers support DNSSEC?


; <<>> DiG 9.11.5-P4-5.1-Debian <<>> +dnssec 
60bb35df-3fe6-47fd-9912-9c43cbb67cdd.is-cf.cloudflareresolve.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 27559
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1


This is weird because if I query 1.1.1.1 directly with dig, it succeeds:

; <<>> DiG 9.11.5-P4-5.1-Debian <<>> +dnssec 
60bb35df-3fe6-47fd-9912-9c43cbb67cdd.is-cf.cloudflareresolve.com @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12981
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1


Ultimately I'm trying to have dnsmasq talk to stubby to do DNS over TLS. 
If I query stubby directly, it also succeeds.


It seems to work OK with other domains like cloudflare.com, just not the 
test site.


Hamish




More information about the Dnsmasq-discuss mailing list