[Dnsmasq-discuss] bugs.gentoo.org and dnssec

Alon Bar-Lev alon.barlev at gmail.com
Tue Apr 21 21:51:39 BST 2015 

On 21 April 2015 at 21:41, Simon Kelley <simon at thekelleys.org.uk> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
>
> Thanks for the report. I just tested 2.72 and the current code in git,
> and both worked fine, using Google public DNS (8.8.8.8) as upstream.
>

I can confirm that using 8.8.8.8 it is working correctly.

>
> What do you know about the upstream server you're forwarding to? Is
> there a possibility that it's "fiddling" with the data it supplies?
>

it may be, how can I check that? what do you need?

>
> Cheers,
>
> Simon.
>
>
> On 21/04/15 18:55, Alon Bar-Lev wrote:
>> Hi,
>>
>> When using bugs.gentoo.org with dnsmasq-2.72 and dnssec enabled, I
>> cannot access attachments.
>>
>> The attachments are forwarded to a CNAME, for example: ---
>> 546330.bugs.gentoo.org. 60      IN      CNAME
>> bugs-gossamer.gentoo.org. bugs-gossamer.gentoo.org. 300   IN
>> CNAME   gannet.gentoo.org. gannet.gentoo.org.      604800  IN
>> A       204.187.15.4 ---
>>
>> When trying to access without dnssec all is ok: --- Apr 21 20:19:04
>> [dnsmasq] query[A] 546330.bugs.gentoo.org from 127.0.0.1 Apr 21
>> 20:19:04 [dnsmasq] forwarded 546330.bugs.gentoo.org to 192.168.1.1
>> Apr 21 20:19:04 [dnsmasq] validation result is INSECURE Apr 21
>> 20:19:04 [dnsmasq] reply 546330.bugs.gentoo.org is <CNAME> Apr 21
>> 20:19:04 [dnsmasq] reply bugs-gossamer.gentoo.org is <CNAME> Apr 21
>> 20:19:04 [dnsmasq] reply gannet.gentoo.org is 204.187.15.4 ---
>>
>> When trying to access with dnssec, notice the "validation result
>> is BOGUS", no result is returned: --- Apr 21 20:09:33 [dnsmasq]
>> query[A] 546330.bugs.gentoo.org from 127.0.0.1 Apr 21 20:09:33
>> [dnsmasq] forwarded 546330.bugs.gentoo.org to 10.38.5.26 Apr 21
>> 20:09:33 [dnsmasq] dnssec-query[DNSKEY] gentoo.org to 10.38.5.26
>> Apr 21 20:09:33 [dnsmasq] dnssec-query[DS] gentoo.org to
>> 10.38.5.26 Apr 21 20:09:33 [dnsmasq] dnssec-query[DNSKEY] 8.8org to
>> 10.38.5.26 Apr 21 20:09:33 [dnsmasq] dnssec-query[DS] org to
>> 10.38.5.26 Apr 21 20:09:33 [dnsmasq] dnssec-query[DNSKEY] . to
>> 10.38.5.26 Apr 21 20:09:33 [dnsmasq] reply . is DNSKEY keytag
>> 19036 Apr 21 20:09:33 [dnsmasq] reply . is DNSKEY keytag 48613 Apr
>> 21 20:09:33 [dnsmasq] reply org is DS keytag 21366 - Last output
>> repeated twice - Apr 21 20:09:33 [dnsmasq] reply org is DNSKEY
>> keytag 3213 Apr 21 20:09:33 [dnsmasq] reply org is DNSKEY keytag
>> 21366 Apr 21 20:09:33 [dnsmasq] reply org is DNSKEY keytag 9795 Apr
>> 21 20:09:33 [dnsmasq] reply org is DNSKEY keytag 34023 Apr 21
>> 20:09:33 [dnsmasq] reply gentoo.org is DS keytag 46873 - Last
>> output repeated twice - Apr 21 20:09:33 [dnsmasq] reply gentoo.org
>> is DNSKEY keytag 52980 Apr 21 20:09:33 [dnsmasq] reply gentoo.org
>> is DNSKEY keytag 46873 Apr 21 20:09:33 [dnsmasq] validation result
>> is BOGUS Apr 21 20:09:33 [dnsmasq] reply 546330.bugs.gentoo.org is
>> <CNAME> Apr 21 20:09:33 [dnsmasq] reply bugs-gossamer.gentoo.org is
>> <CNAME> Apr 21 20:09:33 [dnsmasq] reply gannet.gentoo.org is
>> 204.187.15.4 ---
>>
>> Maybe it is local issue of the dns I am using (I have no access to
>> it), but maybe there is a issue at dnsmasq.
>>
>> Peer reported that local unbound is working properly.
>>
>> Regards, Alon Bar-Lev.
>>
>> _______________________________________________ Dnsmasq-discuss
>> mailing list Dnsmasq-discuss at lists.thekelleys.org.uk
>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
>
> iQIcBAEBCAAGBQJVNpnRAAoJEBXN2mrhkTWiUQMP/AiTWkiSbANZLrNpGAZoAsq2
> TZBM0vimZX9cX6OsFQeDeAAiwzNoFL2oG22YL7oQXWyEJUjl4qlFS/aznrj1QlpJ
> nf3gNqedkgK7XLj+tRJSmbNohEcD2xvSiX1nIhO0GZ29lVBzmNLSicgyvqjCEkcd
> GUCrkbQiEmiiQmG6EOm0f8Jr5xIp24FwY2TZ9ZfEiU4+hx5KrU2z5uMczZPBQuMo
> eUDuHhbS1et3kTbqP/p929OhdOrxEn0i9mDj360qoVy8XbYTPLZRCUVppSBXh32J
> SpieR6evHjvcMTDPLVnrsP/H7IUbgoyJYE5E5m6gfI57tlkurNKjjQnrKgAV+S2l
> Oxu5Ld4uN8Bb7n/MgH4p6n9I7RPIkGRR9nSlPrbJOCJhktzS+dBh80lP2N1mXScf
> B6yn9Mo7yJ6ji66u/4A0lcDvafTeIGDdv54GjC76TNprXe7z3WvJyJDYhbelDadw
> Sp+8pwtUbR4aCC21wHURMfxurAcmUVZ0mB9hnxfsnvsCBmFSpr4XetRXS+sIo3+X
> mM3eITiIcHFh3pW3kWUjucgVl494GGO0Dq1hgjv4LFkqHQtY290hliQmBTKnat9Z
> SZqmGRwQWK4QsVkHznbBHRCwozwgftR9O5s66GPQFDiZBDHZvvzasn8qpDbYzLy5
> IS86yr7FndM4zrwfLxdR
> =/Iup
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

More information about the Dnsmasq-discuss mailing list