[Dnsmasq-discuss] Insecure CNAME pointing to Secure name incorrectly validates as Bogus

Tore Anderson tore at fud.no
Tue Sep 3 18:29:54 BST 2019 

* Tore Anderson

> Apologies, I botched my test (using the wrong upstream server). It does *not* work, but the error is different:
> 
> $ src/dnsmasq -d -p 5353
> dnsmasq: started, version 2.80-71-g69a0477 cachesize 150
> dnsmasq: compile time options: IPv6 GNU-getopt DBus no-UBus no-i18n IDN2 DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth DNSSEC loop-detect inotify dumpfile
> dnsmasq: DNSSEC validation enabled
> dnsmasq: configured with trust anchor for <root> keytag 20326
> dnsmasq: configured with trust anchor for <root> keytag 19036
> dnsmasq: using nameserver 87.238.33.1#53
> dnsmasq: cleared cache
> dnsmasq: query[A] www.ipv6.org.uk from 127.0.0.1
> dnsmasq: forwarded www.ipv6.org.uk to 87.238.33.1
> dnsmasq: dnssec-query[DS] uk to 87.238.33.1
> dnsmasq: dnssec-query[DNSKEY] . to 87.238.33.1
> dnsmasq: reply . is DNSKEY keytag 59944, algo 8
> dnsmasq: reply . is DNSKEY keytag 20326, algo 8
> dnsmasq: reply uk is DS keytag 43876, algo 8, digest 2
> dnsmasq: dnssec-query[DS] org.uk to 87.238.33.1
> dnsmasq: dnssec-query[DNSKEY] uk to 87.238.33.1
> dnsmasq: reply uk is DNSKEY keytag 43876, algo 8
> dnsmasq: reply uk is DNSKEY keytag 43056, algo 8
> dnsmasq: reply org.uk is DS keytag 41523, algo 8, digest 2
> dnsmasq: dnssec-query[DS] ipv6.org.uk to 87.238.33.1
> dnsmasq: dnssec-query[DNSKEY] org.uk to 87.238.33.1
> dnsmasq: reply org.uk is DNSKEY keytag 41523, algo 8
> dnsmasq: reply ipv6.org.uk is no DS
> dnsmasq: dnssec-query[DS] ipv6.org.uk to 87.238.33.1
> dnsmasq: reply ipv6.org.uk is no DS
> dnsmasq: dnssec-query[DS] ipv6.org.uk to 87.238.33.1
> dnsmasq: reply ipv6.org.uk is no DS
> dnsmasq: dnssec-query[DS] ipv6.org.uk to 87.238.33.1
> dnsmasq: reply ipv6.org.uk is no DS
> dnsmasq: dnssec-query[DS] ipv6.org.uk to 87.238.33.1
> dnsmasq: reply ipv6.org.uk is no DS
> [...]
> 
> This query is repeated ~44 times in a tight loop. It makes a total of 50 queries before giving up, I guess it hits a built-in limit.
> 
> PCAP attached.
> 
> It seems to happen with *all* Insecure domain names (not only those that have CNAMES pointing to other Secure domain names).

Bisected:

ae7a3b9d2e8705af203a1347c397718a24331747 is the first bad commit
commit ae7a3b9d2e8705af203a1347c397718a24331747
Author: Simon Kelley <simon at thekelleys.org.uk>
Date:   Tue Sep 3 14:40:47 2019 +0100

    DNSSEC: implement RFC-4036 para 5.3.3. rules on TTL values.

:040000 040000 52d7ead3d28019308dff0cb0dfcd80e4ef0341de 60ff380eb9c6b813d5081dee470d276be2109480 M      src

If I revert this one, www.ipv6.org.uk and www.linuxquestions.org both resolve fine (as Insecure). So the fix in 69a0477 seems good.

Tore

More information about the Dnsmasq-discuss mailing list