[Dnsmasq-discuss] Testers wanted: DNSSEC.

Simon Kelley simon at thekelleys.org.uk
Thu Feb 6 10:29:55 GMT 2014


On 05/02/14 23:23, Eugene Rudoy wrote:
> Hi Simon,
>
> On Wed, Feb 5, 2014 at 9:39 AM, Simon Kelley <simon at thekelleys.org.uk> wrote:
>>
>> Most zones (including those you use as examples) are not (yet) signed, so
>> that's the expected result.
>>
>> Try
>>
>> paypal.com
>> ietf.org
>> www.dnssec-failed.org
>>
>
> hmm, tried all above, still INSECURE
>
> Feb  6 00:19:29 fb daemon.info dnsmasq[1894]: started, version
> 2.69test6 cachesize 256
> Feb  6 00:19:29 fb daemon.info dnsmasq[1894]: compile time options:
> no-IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP
> no-conntrack ipset auth DNSSEC
> Feb  6 00:19:29 fb daemon.info dnsmasq[1894]: DNSSEC validation enabled
> Feb  6 00:19:29 fb daemon.info dnsmasq[1894]: asynchronous logging
> enabled, queue limit is 10 messages
> Feb  6 00:19:29 fb daemon.info dnsmasq-dhcp[1894]: DHCP, IP range
> 192.168.xx.20 -- 192.168.xx.99, lease time 12h
> Feb  6 00:19:29 fb daemon.info dnsmasq-tftp[1894]: TFTP root is /tftproot
> Feb  6 00:19:29 fb daemon.info dnsmasq[1894]: using nameserver 8.8.4.4#53
> Feb  6 00:19:29 fb daemon.info dnsmasq[1894]: using nameserver 8.8.8.8#53
> Feb  6 00:19:29 fb daemon.info dnsmasq[1894]: read /etc/hosts - 23 addresses
> Feb  6 00:19:29 fb daemon.info dnsmasq-dhcp[1894]: read /etc/ethers -
> 3 addresses
>
> Feb  6 00:20:05 fb daemon.info dnsmasq[1894]: query[A] paypal.com from
> 192.168.xx.20
> Feb  6 00:20:05 fb daemon.info dnsmasq[1894]: forwarded paypal.com to 8.8.8.8
> Feb  6 00:20:05 fb daemon.info dnsmasq[1894]: validation result is INSECURE
> Feb  6 00:20:05 fb daemon.info dnsmasq[1894]: reply paypal.com is 66.211.169.3
> Feb  6 00:20:05 fb daemon.info dnsmasq[1894]: reply paypal.com is 66.211.169.66
>
> Feb  6 00:20:39 fb daemon.info dnsmasq[1894]: query[A] ietf.org from
> 192.168.xx.20
> Feb  6 00:20:39 fb daemon.info dnsmasq[1894]: forwarded ietf.org to 8.8.8.8
> Feb  6 00:20:39 fb daemon.info dnsmasq[1894]: validation result is INSECURE
> Feb  6 00:20:39 fb daemon.info dnsmasq[1894]: reply ietf.org is 4.31.198.44
>
> Feb  6 00:20:47 fb daemon.info dnsmasq[1894]: query[A]
> www.dnssec-failed.org from 192.168.xx.20
> Feb  6 00:20:47 fb daemon.info dnsmasq[1894]: forwarded
> www.dnssec-failed.org to 8.8.8.8
> Feb  6 00:20:47 fb daemon.info dnsmasq[1894]: validation result is INSECURE
> Feb  6 00:20:47 fb daemon.info dnsmasq[1894]: reply
> www.dnssec-failed.org is 69.252.216.215
> Feb  6 00:20:47 fb daemon.info dnsmasq[1894]: reply
> www.dnssec-failed.org is 69.252.208.135
>

What result do you get if you run

dig +dnssec @8.8.8,8 ietf.org

It's not unknown for an ISP to redirect all port 53 traffic to their own 
DNS servers.........


Cheers,

Simon.





More information about the Dnsmasq-discuss mailing list