<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>I would suggest using delv +vtrace @8.8.8.8</p>
<p><br>
</p>
<p>Then compare it with delv +vtrace @127.0.0.1<br>
</p>
<p><br>
</p>
<p>It is not about the AD flag, dnsmasq would set it itself. But
there have to be RRSIG records when you do dig +dnssec. All
1.1.1.1, 8.8.8.8 or 9.9.9.9 should support DNSSEC just fine. Is it
possible your request are intercepted on the way by different
server?</p>
<p><br>
</p>
<p>You would have to use DNS over TLS or DNS over HTTPS, which
dnsmasq does not support. Or maybe just different internet
provider.<br>
</p>
<p><br>
</p>
<div class="moz-cite-prefix">On 08. 06. 22 13:04, Stuart Bailey
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:LO4P265MB3582A4CC9B50069B5FF535DEF4A49@LO4P265MB3582.GBRP265.PROD.OUTLOOK.COM">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<style type="text/css" style="display:none;">P {margin-top:0;margin-bottom:0;}</style>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
Hello,</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
I have dnsmasq running on a Debian server / router, configured
so that clients on the 'LAN' side can send DNS queries to the
server rather than directly to the Internet. I'd like to
configure dnsmasq to validate DNSSEC responses, but when I add
the lines:</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
<span style="font-family:monospace" class="elementToProof"><span
style="color:#000000;background-color:#ffffff">conf-file=/usr/share/dnsmasq-base/trust-anchors.conf
</span><br>
dnssec<br>
<br>
</span>to my config file, all DNS request to forwarders no fail.</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
If I run </div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
<span style="font-family: "Courier New";">dig +dnssec
@8.8.8.8 <lookup domain> </span></div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
directly on the server, I get the expected response with the
'ad' flag as appropriate.</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
My dnsmasq.conf file looks like:</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
<span style="font-family:monospace"><span
style="color:#000000;background-color:#ffffff">#
Configuration file for dnsmasq.
</span><br>
# <br>
domain-needed <br>
bogus-priv <br>
localise-queries <br>
domain=integra-edge.io <br>
no-hosts <br>
local=/integra-edge.io/ <br>
port=53 <br>
log-queries <br>
log-debug <br>
max-ttl=1 <br>
listen-address=127.0.0.1 <br>
cache-size=1000 <br>
no-resolv <br>
no-poll <br>
<br>
strict-order <br>
server=1.1.1.1 <br>
server=8.8.8.8 <br>
server=9.9.9.9 <br>
<br>
conf-file=/usr/share/dnsmasq-base/trust-anchors.conf <br>
dnssec <br>
#dnssec-check-unsigned <br>
<br>
dhcp-leasefile=/var/lib/dhcp/dnsmasq.leases <br>
<br>
conf-dir=/etc/dnsmasq.d/dhcp,*.conf<br>
<br>
</span>Using tcpdump, I can see that dnsmasq seems to get stuck
on the DNSKEY request:</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
<span style="font-family:monospace"><span
style="color:#000000;background-color:#ffffff">10:59:15.431106
IP 192.168.20.55.43867 > dns9.quad9.net.domain: 33763+
[1au] A? bbc.co.uk. (50)
</span><br>
10:59:15.471293 IP dns9.quad9.net.domain >
192.168.20.55.43867: 33763 4/0/1 A 151.101.192.81, A
151.101.64.81, A 151.101.0.81, A 151.101.128.81 (102)
<br>
10:59:15.471497 IP 192.168.20.55.45970 >
dns9.quad9.net.domain: 27235+ [1au] DS? uk. (31)
<br>
10:59:15.508817 IP dns9.quad9.net.domain >
192.168.20.55.45970: 27235$ 2/0/1 DS, RRSIG (366)
<br>
10:59:15.509375 IP 192.168.20.55.60968 >
dns9.quad9.net.domain: 38502+ [1au] DNSKEY? . (28)
<br>
10:59:20.434731 IP 192.168.20.55.60968 >
dns9.quad9.net.domain: 38502+ [1au] DNSKEY? . (28)
<br>
10:59:25.438660 IP 192.168.20.55.60968 >
dns9.quad9.net.domain: 38502+ [1au] DNSKEY? . (28)<br>
</span><br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
But using dig directly as above, I only get:</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
<span style="font-family:monospace"><span
style="color:#000000;background-color:#ffffff">11:00:42.118765
IP 192.168.20.55.34235 > dns9.quad9.net.domain: 47855+
[1au] A? bbc.co.uk. (50)
</span><br>
11:00:42.149587 IP dns9.quad9.net.domain >
192.168.20.55.34235: 47855 4/0/1 A 151.101.64.81, A
151.101.128.81, A 151.101.192.81, A 151.101.0.81 (102)
<br>
<br>
</span>I am running Debian 11 (bullseye) with dnsmasq version
2.85</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
my trust-anchors.conf file is the standard file shipped with
Bullseye.</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
Many thanks,</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
Stuart</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
<br>
</div>
<span style="padding-top:12px; color:#928E8E; font-size:9pt;
font-family: 'Calibri',Arial,sans-serif; "><i>This email and any
attachments are confidential and intended solely for the
individual to whom it is addressed. Any view or opinion
expressed belongs solely to the author and does not
necessarily represent those of Applied Satellite Technology
Ltd, its subsidiaries or any affiliated group company (AST).
If you are not the intended recipient please do not disclose,
copy or distribute information in this email nor take any
action in reliance of its content; to do so is strictly
prohibited and may be unlawful. Please inform us if you have
received this message in error before deleting it. All
liability is excluded to the extent permitted by law for any
claims arising as a result of the use of this medium to
transmit information by or to AST. Thank you for your
co-operation.
<p>Applied Satellite Technology Ltd | Company Number: 2153172
England | Registered Office: Satellite House, Bessemer Way,
Harfreys Industrial Estate, Great Yarmouth, Norfolk NR31 0LX
(UK)
</p>
</i>
</span>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Dnsmasq-discuss mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Dnsmasq-discuss@lists.thekelleys.org.uk">Dnsmasq-discuss@lists.thekelleys.org.uk</a>
<a class="moz-txt-link-freetext" href="https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss">https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss</a>
</pre>
</blockquote>
<pre class="moz-signature" cols="72">--
Petr Menšík
Software Engineer, RHEL
Red Hat, <a class="moz-txt-link-freetext" href="http://www.redhat.com/">http://www.redhat.com/</a>
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB</pre>
</body>
</html>