[Dnsmasq-discuss] BOGUS DNSSEC responses

László Károlyi laszlo at karolyi.hu
Thu Jul 9 09:07:58 BST 2020


Thanks for your response again.

I'm not an expert in DNSSEC, so I can't answer you the first point. As
for the second point, I attached my (pretty milktoast) unbound.conf, not
much changes in there; hoping it could give a clue.

Edit: Resending the unbound.conf zipped since the unzipped version it
got held up by mailman.

Cheers,
--
László Károlyi
https://linkedin/com/in/karolyi

On 06.07.20 23:05, Simon Kelley wrote:
> OK, I can see the proximate cause of the problem, but I'm not sure
> what's causing it and I'm not sure how behaviour needs to change.
>
> The proximate cause is that the upstream server (unbound, I think.) is
> returning answers to queries for DNSKEY records with time-to-live as
> zero. Time-to-live zero means "use this once, but don't cache it" so
> dnsmasq doesn't cache it. But the DNSSEC validation process in dnsmasq
> depends on data like DNSKEYs being cached: that's the path by which it
> gets to the correct place for doing the validation. Hence the validation
> failures.
>
> Two questions arise.
>
> 1) Is dnsmasq wrong to fail validation with DNSKEYS with TTL zero. I
> think that answer to that is probably "yes", if only on grounds of "be
> forgiving in what you accept". The fix is fairly simple.
>
> 2) Why is Unbound returning DNSKEY records with TTL zero, over and over
> again? Is there something in your unbound config that causes that?
>
>
> Cheers,
>
> Simon.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: unbound.conf.zip
Type: application/x-zip-compressed
Size: 13807 bytes
Desc: not available
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20200709/a0981874/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20200709/a0981874/attachment-0001.sig>


More information about the Dnsmasq-discuss mailing list