[Dnsmasq-discuss] dnsmasq and "AD" flag forwarding

Simon Kelley simon at thekelleys.org.uk
Thu Dec 12 09:51:40 GMT 2013 

On 11/12/13 13:52, Tomas Hozza wrote:
> Hi.
>
> I have been trying to understand what --proxy-dnssec option does.
>
>> From what I understand if NOT used, dnsmasq will NOT forward the
> AD flag set by the upstream server to its clients.
>
> If the --proxy-dnssec option is used, dnsmasq WILL forward the
> AD flag in the DNS answer IF it was set by the upstream server.
>
> If this is correct, then the dnsmasq behaviour differs.
>
> I run:
> [root at localhost ~]# dnsmasq -d --bind-interfaces --interface=lo --server=8.8.8.8 --no-resolv
> dnsmasq: started, version 2.68 cachesize 150
> dnsmasq: compile time options: IPv6 GNU-getopt DBus no-i18n IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth
> dnsmasq: using nameserver 8.8.8.8#53
> dnsmasq: read /etc/hosts - 2 addresses
>
>
> and then on the same machine I run DIG:
> [root at localhost ~]# dig @127.0.0.1 nic.cz
>
> ;<<>>  DiG 9.9.4-RedHat-9.9.4-8.fc20<<>>  @127.0.0.1 nic.cz
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35121
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 512
> ;; QUESTION SECTION:
> ;nic.cz.				IN	A
>
> ;; ANSWER SECTION:
> nic.cz.			865	IN	A	217.31.205.50
>
> ;; Query time: 29 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Wed Dec 11 14:47:11 CET 2013
> ;; MSG SIZE  rcvd: 51
>
> [root at localhost ~]# dig @127.0.0.1 nic.cz
>
> ;<<>>  DiG 9.9.4-RedHat-9.9.4-8.fc20<<>>  @127.0.0.1 nic.cz
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39434
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;nic.cz.				IN	A
>
> ;; ANSWER SECTION:
> nic.cz.			863	IN	A	217.31.205.50
>
> ;; Query time: 0 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Wed Dec 11 14:47:13 CET 2013
> ;; MSG SIZE  rcvd: 40
>
>
> You can see that after dnsmasq caches the answer it sets AD flag for
> every subsequent query received from client.
>
> If I set the the --cache-size=0, AD flag is never set. Also subsequent
> queries look fine.
>
>
> However if I run dnsmasq as follows:
> [root at localhost ~]# dnsmasq -d --bind-interfaces --interface=lo --server=8.8.8.8 --no-resolv --cache-size=0 --proxy-dnssec
> dnsmasq: started, version 2.68 cache disabled
> dnsmasq: compile time options: IPv6 GNU-getopt DBus no-i18n IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth
> dnsmasq: using nameserver 8.8.8.8#53
> dnsmasq: read /etc/hosts - 2 addresses
>
> Then the AD flag is never forwarded to the client:
> [root at localhost ~]# dig @127.0.0.1 nic.cz
>
> ;<<>>  DiG 9.9.4-RedHat-9.9.4-8.fc20<<>>  @127.0.0.1 nic.cz
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34661
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 512
> ;; QUESTION SECTION:
> ;nic.cz.				IN	A
>
> ;; ANSWER SECTION:
> nic.cz.			670	IN	A	217.31.205.50
>
> ;; Query time: 26 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Wed Dec 11 14:50:25 CET 2013
> ;; MSG SIZE  rcvd: 51
>
> [root at localhost ~]# dig @127.0.0.1 nic.cz
>
> ;<<>>  DiG 9.9.4-RedHat-9.9.4-8.fc20<<>>  @127.0.0.1 nic.cz
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44968
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 512
> ;; QUESTION SECTION:
> ;nic.cz.				IN	A
>
> ;; ANSWER SECTION:
> nic.cz.			1034	IN	A	217.31.205.50
>
> ;; Query time: 25 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Wed Dec 11 14:50:30 CET 2013
> ;; MSG SIZE  rcvd: 51
>
> [root at localhost ~]# dig @8.8.8.8 nic.cz
>
> ;<<>>  DiG 9.9.4-RedHat-9.9.4-8.fc20<<>>  @8.8.8.8 nic.cz
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17357
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 512
> ;; QUESTION SECTION:
> ;nic.cz.				IN	A
>
> ;; ANSWER SECTION:
> nic.cz.			993	IN	A	217.31.205.50
>
> ;; Query time: 23 msec
> ;; SERVER: 8.8.8.8#53(8.8.8.8)
> ;; WHEN: Wed Dec 11 14:51:10 CET 2013
> ;; MSG SIZE  rcvd: 51
>
>
> As you can see, the 8.8.8.8 server sets the AD flag in the response.
>
> Is this a bug or am I doing something wrong?

I can see at least one bug in the code: in the code-path taken to answer 
a query from the cache, the value of the AD flag is never changed: it 
simply takes the value that it had in the query. I guess the 
"authenticated" status of the data should be cached, and used to provide 
this information.

I'm currently deep into work to provide DNSSEC validation in dnsmasq, 
and all of this code is therefore subject to massive revision in the 
near future. I'll address the behaviour when dnsmasq is NOT validating 
itself as part of that work.


Cheers,


Simon.

>
> Thanks!
>
> Regards,
>
> Tomas Hozza
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>

More information about the Dnsmasq-discuss mailing list