[Dnsmasq-discuss] DNSSEC validation failing on Cloudflare test domain
Hamish Moffatt
hamish at moffatt.email
Wed Jul 17 06:41:33 BST 2019
Hi,
I'm trying to enable DNSSEC validation in dnsmasq 2.80, on my OpenWRT
router. For upstream, I'm using 1.1.1.1. With DNSSEC validation on, when
I visit the Cloudflare test site
https://www.cloudflare.com/ssl/encrypted-sni/ , it says it can't
determine if I have secure DNS enabled.
It's trying to look up
60bb35df-3fe6-47fd-9912-9c43cbb67cdd.is-cf.cloudflareresolve.com, which
is failing. dnsmasq is logging:
Wed Jul 17 15:24:27 2019 daemon.warn dnsmasq[5733]: Insecure DS reply
received, do upstream DNS servers support DNSSEC?
; <<>> DiG 9.11.5-P4-5.1-Debian <<>> +dnssec
60bb35df-3fe6-47fd-9912-9c43cbb67cdd.is-cf.cloudflareresolve.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 27559
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
This is weird because if I query 1.1.1.1 directly with dig, it succeeds:
; <<>> DiG 9.11.5-P4-5.1-Debian <<>> +dnssec
60bb35df-3fe6-47fd-9912-9c43cbb67cdd.is-cf.cloudflareresolve.com @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12981
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
Ultimately I'm trying to have dnsmasq talk to stubby to do DNS over TLS.
If I query stubby directly, it also succeeds.
It seems to work OK with other domains like cloudflare.com, just not the
test site.
Hamish
More information about the Dnsmasq-discuss
mailing list