[Dnsmasq-discuss] DNSSEC validation failing on Cloudflare test domain

Hamish Moffatt hamish at moffatt.email
Thu Jul 18 02:37:06 BST 2019 

It looks like it's the same. I can't query the www.vp4.navy.mil site 
listed in that other report with validation enabled either.


dnsmasq[14688]: 323 192.168.42.2/60372 query[A] www.vp4.navy.mil from 
192.168.42.2
dnsmasq[14688]: 323 192.168.42.2/60372 forwarded www.vp4.navy.mil to 1.1.1.1
dnsmasq[14688]: * 192.168.42.2/60372 dnssec-query[DS] vp4.navy.mil to 
1.1.1.1
dnsmasq[14688]: Insecure DS reply received, do upstream DNS servers 
support DNSSEC?
dnsmasq[14688]: * 192.168.42.2/60372 reply vp4.navy.mil is BOGUS DS
dnsmasq[14688]: 323 192.168.42.2/60372 validation www.vp4.navy.mil is BOGUS
dnsmasq[14688]: 323 192.168.42.2/60372 reply www.vp4.navy.mil is <CNAME>

dnsmasq[14688]: 7 192.168.42.2/43514 query[A] 
60bb35df-3fe6-47fd-9912-9c43cbb67cdd.is-cf.cloudflareresolve.com from 
192.168.42.2
dnsmasq[14688]: 7 192.168.42.2/43514 forwarded 
60bb35df-3fe6-47fd-9912-9c43cbb67cdd.is-cf.cloudflareresolve.com to 1.1.1.1
dnsmasq[14688]: * 192.168.42.2/43514 dnssec-query[DS] 
cloudflareresolve.com to 1.1.1.1
dnsmasq[14688]: * 192.168.42.2/43514 reply cloudflareresolve.com is DS 
keytag 64088, algo 13, digest 2
dnsmasq[14688]: * 192.168.42.2/43514 dnssec-query[DS] 
is-cf.cloudflareresolve.com to 1.1.1.1
dnsmasq[14688]: * 192.168.42.2/43514 dnssec-query[DS] net to 1.1.1.1
dnsmasq[14688]: * 192.168.42.2/43514 reply net is DS keytag 35886, algo 
8, digest 2
dnsmasq[14688]: * 192.168.42.2/43514 dnssec-query[DS] cloudflare.net to 
1.1.1.1
dnsmasq[14688]: * 192.168.42.2/43514 dnssec-query[DNSKEY] net to 1.1.1.1
dnsmasq[14688]: * 192.168.42.2/43514 reply net is DNSKEY keytag 35886, 
algo 8
dnsmasq[14688]: * 192.168.42.2/43514 reply net is DNSKEY keytag 2129, algo 8
dnsmasq[14688]: * 192.168.42.2/43514 reply net is DNSKEY keytag 59540, 
algo 8
dnsmasq[14688]: * 192.168.42.2/43514 reply cloudflare.net is DS keytag 
2371, algo 13, digest 2
dnsmasq[14688]: * 192.168.42.2/43514 dnssec-query[DNSKEY] cloudflare.net 
to 1.1.1.1
dnsmasq[14688]: * 192.168.42.2/43514 reply cloudflare.net is DNSKEY 
keytag 34505, algo 13
dnsmasq[14688]: * 192.168.42.2/43514 reply cloudflare.net is DNSKEY 
keytag 2371, algo 13
dnsmasq[14688]: Insecure DS reply received, do upstream DNS servers 
support DNSSEC?
dnsmasq[14688]: * 192.168.42.2/43514 reply is-cf.cloudflareresolve.com 
is BOGUS DS
dnsmasq[14688]: 7 192.168.42.2/43514 validation 
60bb35df-3fe6-47fd-9912-9c43cbb67cdd.is-cf.cloudflareresolve.com is BOGUS
dnsmasq[14688]: 7 192.168.42.2/43514 reply 
60bb35df-3fe6-47fd-9912-9c43cbb67cdd.is-cf.cloudflareresolve.com is <CNAME>
dnsmasq[14688]: 7 192.168.42.2/43514 reply 
is-cf.cloudflareresolve.com.cdn.cloudflare.net is 104.16.225.45
dnsmasq[14688]: 7 192.168.42.2/43514 reply 
is-cf.cloudflareresolve.com.cdn.cloudflare.net is 104.16.224.45


Hamish


On 17/7/19 9:59 pm, Simon Kelley wrote:
> I'm not in a position to look at this for a few days, but in the meantime,
>
>
> http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2019q1/012910.html
>
>
> discusses a situation which looks, at least superficially, similar. It
> might be worth turning on DNS logging and seeing if the similarity goes
> deeper.
>
> Cheers,
>
> Simon.
>
>
>
> Simon.On 17/07/2019 06:41, Hamish Moffatt wrote:
>> Hi,
>>
>> I'm trying to enable DNSSEC validation in dnsmasq 2.80, on my OpenWRT
>> router. For upstream, I'm using 1.1.1.1. With DNSSEC validation on, when
>> I visit the Cloudflare test site
>> https://www.cloudflare.com/ssl/encrypted-sni/ , it says it can't
>> determine if I have secure DNS enabled.
>>
>>
>> It's trying to look up
>> 60bb35df-3fe6-47fd-9912-9c43cbb67cdd.is-cf.cloudflareresolve.com, which
>> is failing. dnsmasq is logging:
>>
>> Wed Jul 17 15:24:27 2019 daemon.warn dnsmasq[5733]: Insecure DS reply
>> received, do upstream DNS servers support DNSSEC?
>>
>>
>> ; <<>> DiG 9.11.5-P4-5.1-Debian <<>> +dnssec
>> 60bb35df-3fe6-47fd-9912-9c43cbb67cdd.is-cf.cloudflareresolve.com
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 27559
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>>
>>
>> This is weird because if I query 1.1.1.1 directly with dig, it succeeds:
>>
>> ; <<>> DiG 9.11.5-P4-5.1-Debian <<>> +dnssec
>> 60bb35df-3fe6-47fd-9912-9c43cbb67cdd.is-cf.cloudflareresolve.com @1.1.1.1
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12981
>> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
>>
>>
>> Ultimately I'm trying to have dnsmasq talk to stubby to do DNS over TLS.
>> If I query stubby directly, it also succeeds.
>>
>>
>> It seems to work OK with other domains like cloudflare.com, just not the
>> test site.
>>
>>
>> Hamish
>>
>>
>> _______________________________________________
>> Dnsmasq-discuss mailing list
>> Dnsmasq-discuss at lists.thekelleys.org.uk
>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

More information about the Dnsmasq-discuss mailing list