[Dnsmasq-discuss] Insecure CNAME pointing to Secure name incorrectly validates as Bogus
Simon Kelley
simon at thekelleys.org.uk
Tue Sep 3 22:51:14 BST 2019
On 03/09/2019 18:29, Tore Anderson wrote:
> * Tore Anderson
>
>> Apologies, I botched my test (using the wrong upstream server). It does *not* work, but the error is different:
>>
>> $ src/dnsmasq -d -p 5353
>> dnsmasq: started, version 2.80-71-g69a0477 cachesize 150
>> dnsmasq: compile time options: IPv6 GNU-getopt DBus no-UBus no-i18n IDN2 DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth DNSSEC loop-detect inotify dumpfile
>> dnsmasq: DNSSEC validation enabled
>> dnsmasq: configured with trust anchor for <root> keytag 20326
>> dnsmasq: configured with trust anchor for <root> keytag 19036
>> dnsmasq: using nameserver 87.238.33.1#53
>> dnsmasq: cleared cache
>> dnsmasq: query[A] www.ipv6.org.uk from 127.0.0.1
>> dnsmasq: forwarded www.ipv6.org.uk to 87.238.33.1
>> dnsmasq: dnssec-query[DS] uk to 87.238.33.1
>> dnsmasq: dnssec-query[DNSKEY] . to 87.238.33.1
>> dnsmasq: reply . is DNSKEY keytag 59944, algo 8
>> dnsmasq: reply . is DNSKEY keytag 20326, algo 8
>> dnsmasq: reply uk is DS keytag 43876, algo 8, digest 2
>> dnsmasq: dnssec-query[DS] org.uk to 87.238.33.1
>> dnsmasq: dnssec-query[DNSKEY] uk to 87.238.33.1
>> dnsmasq: reply uk is DNSKEY keytag 43876, algo 8
>> dnsmasq: reply uk is DNSKEY keytag 43056, algo 8
>> dnsmasq: reply org.uk is DS keytag 41523, algo 8, digest 2
>> dnsmasq: dnssec-query[DS] ipv6.org.uk to 87.238.33.1
>> dnsmasq: dnssec-query[DNSKEY] org.uk to 87.238.33.1
>> dnsmasq: reply org.uk is DNSKEY keytag 41523, algo 8
>> dnsmasq: reply ipv6.org.uk is no DS
>> dnsmasq: dnssec-query[DS] ipv6.org.uk to 87.238.33.1
>> dnsmasq: reply ipv6.org.uk is no DS
>> dnsmasq: dnssec-query[DS] ipv6.org.uk to 87.238.33.1
>> dnsmasq: reply ipv6.org.uk is no DS
>> dnsmasq: dnssec-query[DS] ipv6.org.uk to 87.238.33.1
>> dnsmasq: reply ipv6.org.uk is no DS
>> dnsmasq: dnssec-query[DS] ipv6.org.uk to 87.238.33.1
>> dnsmasq: reply ipv6.org.uk is no DS
>> [...]
>>
>> This query is repeated ~44 times in a tight loop. It makes a total of 50 queries before giving up, I guess it hits a built-in limit.
>>
>> PCAP attached.
>>
>> It seems to happen with *all* Insecure domain names (not only those that have CNAMES pointing to other Secure domain names).
>
> Bisected:
>
> ae7a3b9d2e8705af203a1347c397718a24331747 is the first bad commit
> commit ae7a3b9d2e8705af203a1347c397718a24331747
> Author: Simon Kelley <simon at thekelleys.org.uk>
> Date: Tue Sep 3 14:40:47 2019 +0100
>
> DNSSEC: implement RFC-4036 para 5.3.3. rules on TTL values.
>
> :040000 040000 52d7ead3d28019308dff0cb0dfcd80e4ef0341de 60ff380eb9c6b813d5081dee470d276be2109480 M src
>
> If I revert this one, www.ipv6.org.uk and www.linuxquestions.org both resolve fine (as Insecure). So the fix in 69a0477 seems good.
>
OK. I think I see the problem......
http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=e24abf28a29574069717af78c1d3e0ede64388ff
should fix.
Simon.
> Tore
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
More information about the Dnsmasq-discuss
mailing list