[Dnsmasq-discuss] losing RRSIGS in dnsmasq 2.73rc3
Simon Kelley
simon at thekelleys.org.uk
Thu Apr 2 21:50:58 BST 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02/04/15 21:43, Dave Taht wrote:
> On Thu, Apr 2, 2015 at 1:08 PM, Simon Kelley
> <simon at thekelleys.org.uk> wrote: I get a BOGUS validation because
> there's no DS record for bufferbloat.ne t
>
> bufferbloat.net uses dlv.isc.org, which dnsmasq doesn't support. I
> think we went round this loop last year sometime.
>
>> I have to admit that we have not looked at how we did dnssec 4+
>> years back. It does (now) just appear that we are misconfigured.
>> Attempts to reach www.ietf.org always return the RRSIGS.
>
>
> What are you doing which allows this to validate? Maybe a
> configured trust-anchor for bufferbloat.net? I guess the first
> answer is being returned from upstream, and the second is coming
> from the dnsmasq cache. It should have RRSIGs never-the-less, but I
> can't work out what's happening until I understand how you're
> getting validation at all .
>
>> I have no idea. I used comcast´s upstream resolvers.
Are you giving dnsmasq the --dnssec-debug flag? If so you'll still get
a reply (wo an "ad" flag) when the validation fails. That (combined
with the second reply coming from cache) would fit the data provided.
If you remove the dnssec-debug flag, you should get consistent
SERVFAIL replies.
>
>> (Next up for me is hammering dnssec via as many ways as I can
>> come up with over ipv6, btw)
>
>
I await developments......
S.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iEYEARECAAYFAlUdq7IACgkQKPyGmiibgrdr7gCglfq0dC/oWCYtQJS5KRd1lErZ
NCAAoIkI5y98kMcDLJtfbx2hEGtfcaDm
=ceEu
-----END PGP SIGNATURE-----
More information about the Dnsmasq-discuss
mailing list