[Dnsmasq-discuss] DNSSEC validation failing on Cloudflare test domain
Simon Kelley
simon at thekelleys.org.uk
Wed Jul 17 12:59:02 BST 2019
I'm not in a position to look at this for a few days, but in the meantime,
http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2019q1/012910.html
discusses a situation which looks, at least superficially, similar. It
might be worth turning on DNS logging and seeing if the similarity goes
deeper.
Cheers,
Simon.
Simon.On 17/07/2019 06:41, Hamish Moffatt wrote:
> Hi,
>
> I'm trying to enable DNSSEC validation in dnsmasq 2.80, on my OpenWRT
> router. For upstream, I'm using 1.1.1.1. With DNSSEC validation on, when
> I visit the Cloudflare test site
> https://www.cloudflare.com/ssl/encrypted-sni/ , it says it can't
> determine if I have secure DNS enabled.
>
>
> It's trying to look up
> 60bb35df-3fe6-47fd-9912-9c43cbb67cdd.is-cf.cloudflareresolve.com, which
> is failing. dnsmasq is logging:
>
> Wed Jul 17 15:24:27 2019 daemon.warn dnsmasq[5733]: Insecure DS reply
> received, do upstream DNS servers support DNSSEC?
>
>
> ; <<>> DiG 9.11.5-P4-5.1-Debian <<>> +dnssec
> 60bb35df-3fe6-47fd-9912-9c43cbb67cdd.is-cf.cloudflareresolve.com
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 27559
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>
>
> This is weird because if I query 1.1.1.1 directly with dig, it succeeds:
>
> ; <<>> DiG 9.11.5-P4-5.1-Debian <<>> +dnssec
> 60bb35df-3fe6-47fd-9912-9c43cbb67cdd.is-cf.cloudflareresolve.com @1.1.1.1
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12981
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
>
>
> Ultimately I'm trying to have dnsmasq talk to stubby to do DNS over TLS.
> If I query stubby directly, it also succeeds.
>
>
> It seems to work OK with other domains like cloudflare.com, just not the
> test site.
>
>
> Hamish
>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
More information about the Dnsmasq-discuss
mailing list