[Dnsmasq-discuss] losing RRSIGS in dnsmasq 2.73rc3

Simon Kelley simon at thekelleys.org.uk
Thu Apr 2 21:08:43 BST 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I get a BOGUS validation because there's no DS record for bufferbloat.ne
t

bufferbloat.net uses dlv.isc.org, which dnsmasq doesn't support. I
think we went round this loop last year sometime.

What are you doing which allows this to validate? Maybe a configured
trust-anchor for bufferbloat.net? I guess the first answer is being
returned from upstream, and the second is coming from the dnsmasq
cache. It should have RRSIGs never-the-less, but I can't work out
what's happening until I understand how you're getting validation at all
.


Cheers,


Simon.






On 02/04/15 20:10, Dave Taht wrote:
> So I am testing with the latest 2.73 release candidate3.
> 
> I do TWO dnssec queries on the same domain.
> 
> The first, does the right thing. The second, does not give me the 
> RRSIGs.
> 
> 
> d at nuc-client:~/public_html/archer_c7_O2$ dig www.bufferbloat.net 
> +dnssec +multi
> 
> ; <<>> DiG 9.9.5-3ubuntu0.1-Ubuntu <<>> www.bufferbloat.net
> +dnssec +multi ;; global options: +cmd ;; Got answer: ;;
> ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38038 ;; flags: qr
> rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4000 ;; 
> QUESTION SECTION: ;www.bufferbloat.net.    IN A
> 
> ;; ANSWER SECTION: www.bufferbloat.net.    86400 IN CNAME 
> shipka.bufferbloat.net. www.bufferbloat.net.    86400 IN RRSIG 
> CNAME 7 3 86400 ( 20150430231644 20150331223348 6560 
> bufferbloat.net. qVWE6+j4ESNbRoulnJO9FoDdSCWCpghIE2Pe9f0wGaF5 
> lSdVv5S1A2S6P5YrZaWajp8BWPO/cliXjwStNQdoQ5Et 
> YtHgrDZAMj1hW2CVR8TPWaa+I2R5jnmqbdTslBBCxkpG 
> 2vFLB6SioH8oh4JYtujD3K0XxOY543MclW7FF60= ) shipka.bufferbloat.net. 
> 86400 IN A 149.20.54.81 shipka.bufferbloat.net.    86400 IN RRSIG
> A 7 3 86400 ( 20150430184126 20150331182930 6560 bufferbloat.net. 
> QPy1G/6ho5zIbPA8KUKFKjFYVCOvib454oRvaQ1cvfZZ 
> vLyvd8zUmLw8nxAa3hcsU1MZlLAo1ELPEOac8/ND0FkZ 
> Wp8wm/OTajoFM9/cOZqFNXkPBdsboqlSo0+EBJiROuzI 
> u2S8PtoC0y7gJdjeRIXHhoYsv+TeZm9TtrCGBK4= )
> 
> ;; Query time: 34 msec ;; SERVER: 192.168.1.1#53(192.168.1.1) ;; 
> WHEN: Thu Apr 02 12:04:27 PDT 2015 ;; MSG SIZE  rcvd: 435
> 
> d at nuc-client:~/public_html/archer_c7_O2$ dig www.bufferbloat.net 
> +dnssec +multi
> 
> ; <<>> DiG 9.9.5-3ubuntu0.1-Ubuntu <<>> www.bufferbloat.net
> +dnssec +multi ;; global options: +cmd ;; Got answer: ;;
> ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61475 ;; flags: qr
> rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; 
> QUESTION SECTION: ;www.bufferbloat.net.    IN A
> 
> ;; ANSWER SECTION: www.bufferbloat.net.    86397 IN CNAME 
> shipka.bufferbloat.net. shipka.bufferbloat.net.    86397 IN A 
> 149.20.54.81
> 
> ;; Query time: 0 msec ;; SERVER: 192.168.1.1#53(192.168.1.1) ;; 
> WHEN: Thu Apr 02 12:04:30 PDT 2015 ;; MSG SIZE  rcvd: 100
> 
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iEYEARECAAYFAlUdocsACgkQKPyGmiibgrfJ2wCdEFNDy+Pefl6OJ2TIFintaIs2
7c8An1JA7D0CpD+FxhOKU7o/bajnEmkL
=YJ6J
-----END PGP SIGNATURE-----

More information about the Dnsmasq-discuss mailing list