[Dnsmasq-discuss] losing RRSIGS in dnsmasq 2.73rc3

Dave Taht dave.taht at gmail.com
Thu Apr 2 22:17:17 BST 2015


On Thu, Apr 2, 2015 at 1:50 PM, Simon Kelley <simon at thekelleys.org.uk> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 02/04/15 21:43, Dave Taht wrote:
>> On Thu, Apr 2, 2015 at 1:08 PM, Simon Kelley
>> <simon at thekelleys.org.uk> wrote: I get a BOGUS validation because
>> there's no DS record for bufferbloat.ne t
>>
>> bufferbloat.net uses dlv.isc.org, which dnsmasq doesn't support. I
>> think we went round this loop last year sometime.
>>
>>> I have to admit that we have not looked at how we did dnssec 4+
>>> years back. It does (now) just appear that we are misconfigured.
>>> Attempts to reach www.ietf.org always return the RRSIGS.
>>
>>
>> What are you doing which allows this to validate? Maybe a
>> configured trust-anchor for bufferbloat.net? I guess the first
>> answer is being returned from upstream, and the second is coming
>> from the dnsmasq cache. It should have RRSIGs never-the-less, but I
>> can't work out what's happening until I understand how you're
>> getting validation at all .
>>
>>> I have no idea. I used comcast´s upstream resolvers.
>
> Are you giving dnsmasq the --dnssec-debug flag? If so you'll still get
> a reply (wo an "ad" flag) when the validation fails. That (combined
> with the second reply coming from cache) would fit the data provided.
> If you remove the dnssec-debug flag, you should get consistent
> SERVFAIL replies.

No dnssec-debug.

# auto-generated config file from /etc/config/dhcp
conf-file=/etc/dnsmasq.conf
dhcp-authoritative
domain-needed
localise-queries
read-ethers
bogus-priv
expand-hosts
local-service
dnssec-timestamp=/etc/dnssec_timestamp
domain=lan
server=/lan/
dhcp-leasefile=/tmp/dhcp.leases
resolv-file=/tmp/resolv.conf.auto
addn-hosts=/tmp/hosts
conf-dir=/tmp/dnsmasq.d
stop-dns-rebind
rebind-localhost-ok
conf-file=/usr/share/dnsmasq/trust-anchors.conf
dnssec
dnssec-check-unsigned
dhcp-broadcast=tag:needs-broadcast
dhcp-range=lan,192.168.1.100,192.168.1.249,255.255.255.0,12h
no-dhcp-interface=eth0


>>
>>> (Next up for me is hammering dnssec via as many ways as I can
>>> come up with over ipv6, btw)
>>
>>
>
> I await developments......

Well, I wish I had a better test than namebench.

>
> S.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (GNU/Linux)
>
> iEYEARECAAYFAlUdq7IACgkQKPyGmiibgrdr7gCglfq0dC/oWCYtQJS5KRd1lErZ
> NCAAoIkI5y98kMcDLJtfbx2hEGtfcaDm
> =ceEu
> -----END PGP SIGNATURE-----



-- 
Dave Täht
Let's make wifi fast, less jittery and reliable again!

https://plus.google.com/u/0/107942175615993706558/posts/TVX3o84jjmb



More information about the Dnsmasq-discuss mailing list