[Dnsmasq-discuss] bugs.gentoo.org and dnssec

Simon Kelley simon at thekelleys.org.uk
Wed Apr 22 22:02:14 BST 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 21/04/15 21:51, Alon Bar-Lev wrote:
> On 21 April 2015 at 21:41, Simon Kelley <simon at thekelleys.org.uk>
> wrote:
> 
> Thanks for the report. I just tested 2.72 and the current code in
> git, and both worked fine, using Google public DNS (8.8.8.8) as
> upstream.
> 
> 
>> I can confirm that using 8.8.8.8 it is working correctly.
> 
> 
> What do you know about the upstream server you're forwarding to?
> Is there a possibility that it's "fiddling" with the data it
> supplies?
> 
> 
>> it may be, how can I check that? what do you need?


Start with the results of

dig @192.168.1.1 +dnssec 546330.bugs.gentoo.org

please.

Cheers,


Simon.

> 
> 
> Cheers,
> 
> Simon.
> 
> 
> On 21/04/15 18:55, Alon Bar-Lev wrote:
>>>> Hi,
>>>> 
>>>> When using bugs.gentoo.org with dnsmasq-2.72 and dnssec
>>>> enabled, I cannot access attachments.
>>>> 
>>>> The attachments are forwarded to a CNAME, for example: --- 
>>>> 546330.bugs.gentoo.org. 60      IN      CNAME 
>>>> bugs-gossamer.gentoo.org. bugs-gossamer.gentoo.org. 300   IN 
>>>> CNAME   gannet.gentoo.org. gannet.gentoo.org.      604800
>>>> IN A       204.187.15.4 ---
>>>> 
>>>> When trying to access without dnssec all is ok: --- Apr 21
>>>> 20:19:04 [dnsmasq] query[A] 546330.bugs.gentoo.org from
>>>> 127.0.0.1 Apr 21 20:19:04 [dnsmasq] forwarded
>>>> 546330.bugs.gentoo.org to 192.168.1.1 Apr 21 20:19:04
>>>> [dnsmasq] validation result is INSECURE Apr
>>>> 21546330.bugs.gentoo.org. 20:19:04 [dnsmasq] reply
>>>> 546330.bugs.gentoo.org is <CNAME> Apr 21 20:19:04 [dnsmasq]
>>>> reply bugs-gossamer.gentoo.org is <CNAME> Apr 21 20:19:04
>>>> [dnsmasq] reply gannet.gentoo.org is 204.187.15.4 ---
>>>> 
>>>> When trying to access with dnssec, notice the "validation
>>>> result is BOGUS", no result is returned: --- Apr 21 20:09:33
>>>> [dnsmasq] query[A] 546330.bugs.gentoo.org from 127.0.0.1 Apr
>>>> 21 20:09:33 [dnsmasq] forwarded 546330.bugs.gentoo.org to
>>>> 10.38.5.26 Apr 21 20:09:33 [dnsmasq] dnssec-query[DNSKEY]
>>>> gentoo.org to 10.38.5.26 Apr 21 20:09:33 [dnsmasq]
>>>> dnssec-query[DS] gentoo.org to 10.38.5.26 Apr 21 20:09:33
>>>> [dnsmasq] dnssec-query[DNSKEY] 8.8org to 10.38.5.26 Apr 21
>>>> 20:09:33 [dnsmasq] dnssec-query[DS] org to 10.38.5.26 Apr 21
>>>> 20:09:33 [dnsmasq] dnssec-query[DNSKEY] . to 10.38.5.26 Apr
>>>> 21 20:09:33 [dnsmasq] reply . is DNSKEY keytag 19036 Apr 21
>>>> 20:09:33 [dnsmasq] reply . is DNSKEY keytag 48613 Apr 21
>>>> 20:09:33 [dnsmasq] reply org is DS keytag 21366 - Last
>>>> output repeated twice - Apr 21 20:09:33 [dnsmasq] reply org
>>>> is DNSKEY keytag 3213 Apr 21 20:09:33 [dnsmasq] reply org is
>>>> DNSKEY keytag 21366 Apr 21 20:09:33 [dnsmasq] reply org is
>>>> DNSKEY keytag 9795 Apr 21 20:09:33 [dnsmasq] reply org is
>>>> DNSKEY keytag 34023 Apr 21 20:09:33 [dnsmasq] reply
>>>> gentoo.org is DS keytag 46873 - Last output repeated twice -
>>>> Apr 21 20:09:33 [dnsmasq] reply gentoo.org is DNSKEY keytag
>>>> 52980 Apr 21 20:09:33 [dnsmasq] reply gentoo.org is DNSKEY
>>>> keytag 46873 Apr 21 20:09:33 [dnsmasq] validation result is
>>>> BOGUS Apr 21 20:09:33 [dnsmasq] reply 546330.bugs.gentoo.org
>>>> is <CNAME> Apr 21 20:09:33 [dnsmasq] reply
>>>> bugs-gossamer.gentoo.org is <CNAME> Apr 21 20:09:33 [dnsmasq]
>>>> reply gannet.gentoo.org is 204.187.15.4 ---
>>>> 
>>>> Maybe it is local issue of the dns I am using (I have no
>>>> access to it), but maybe there is a issue at dnsmasq.
>>>> 
>>>> Peer reported that local unbound is working properly.
>>>> 
>>>> Regards, Alon Bar-Lev.
>>>> 
>>>> _______________________________________________
>>>> Dnsmasq-discuss mailing list
>>>> Dnsmasq-discuss at lists.thekelleys.org.uk 
>>>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>>>>
>>
>>
>>>> 
_______________________________________________
>> Dnsmasq-discuss mailing list 
>> Dnsmasq-discuss at lists.thekelleys.org.uk 
>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iEYEARECAAYFAlU4DFYACgkQKPyGmiibgrcZVwCdFC93BW0V4LZVTz+mcv7ODcA/
ZFgAn0fdKhcrynlnlDmqW6GPYMFzZTRe
=C/uZ
-----END PGP SIGNATURE-----



More information about the Dnsmasq-discuss mailing list