[Dnsmasq-discuss] DNSSEC validation failing on Cloudflare test domain

Simon Kelley simon at thekelleys.org.uk
Wed Jul 17 12:59:02 BST 2019


I'm not in a position to look at this for a few days, but in the meantime,


http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2019q1/012910.html


discusses a situation which looks, at least superficially, similar. It
might be worth turning on DNS logging and seeing if the similarity goes
deeper.

Cheers,

Simon.



Simon.On 17/07/2019 06:41, Hamish Moffatt wrote:
> Hi,
> 
> I'm trying to enable DNSSEC validation in dnsmasq 2.80, on my OpenWRT
> router. For upstream, I'm using 1.1.1.1. With DNSSEC validation on, when
> I visit the Cloudflare test site
> https://www.cloudflare.com/ssl/encrypted-sni/ , it says it can't
> determine if I have secure DNS enabled.
> 
> 
> It's trying to look up
> 60bb35df-3fe6-47fd-9912-9c43cbb67cdd.is-cf.cloudflareresolve.com, which
> is failing. dnsmasq is logging:
> 
> Wed Jul 17 15:24:27 2019 daemon.warn dnsmasq[5733]: Insecure DS reply
> received, do upstream DNS servers support DNSSEC?
> 
> 
> ; <<>> DiG 9.11.5-P4-5.1-Debian <<>> +dnssec
> 60bb35df-3fe6-47fd-9912-9c43cbb67cdd.is-cf.cloudflareresolve.com
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 27559
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> 
> 
> This is weird because if I query 1.1.1.1 directly with dig, it succeeds:
> 
> ; <<>> DiG 9.11.5-P4-5.1-Debian <<>> +dnssec
> 60bb35df-3fe6-47fd-9912-9c43cbb67cdd.is-cf.cloudflareresolve.com @1.1.1.1
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12981
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
> 
> 
> Ultimately I'm trying to have dnsmasq talk to stubby to do DNS over TLS.
> If I query stubby directly, it also succeeds.
> 
> 
> It seems to work OK with other domains like cloudflare.com, just not the
> test site.
> 
> 
> Hamish
> 
> 
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> 



More information about the Dnsmasq-discuss mailing list