[Dnsmasq-discuss] dnssec-check-unsigned breaks linux.conf.au

Sat Jun 6 21:45:23 BST 2015

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 06/06/15 09:58, Karl-Johan Karlsson wrote:
> Hello,
> 
> When dnssec-check-unsigned is set, dnsmasq (2.72 and 2.73rc8)
> returns SERVFAIL for queries for linux.conf.au, claiming a "BOGUS
> DS":
> 
> Jun 06 10:15:24 [dnsmasq] query[ANY] linux.conf.au from
> 192.168.3.138 Jun 06 10:15:24 [dnsmasq] forwarded linux.conf.au to
> 127.0.0.1 Jun 06 10:15:24 [dnsmasq] forwarded linux.conf.au to ::1 
> Jun 06 10:15:24 [dnsmasq] dnssec-query[DS] au to 127.0.0.1 Jun 06
> 10:15:24 [dnsmasq] dnssec-query[DNSKEY] . to 127.0.0.1 Jun 06
> 10:15:24 [dnsmasq] reply . is DNSKEY keytag 19036 Jun 06 10:15:24
> [dnsmasq] reply . is DNSKEY keytag 48613 Jun 06 10:15:24 [dnsmasq]
> reply au is DS keytag 37976 - Last output repeated twice - Jun 06
> 10:15:24 [dnsmasq] dnssec-query[DS] conf.au to 127.0.0.1 Jun 06
> 10:15:24 [dnsmasq] dnssec-query[DNSKEY] au to 127.0.0.1 Jun 06
> 10:15:24 [dnsmasq] reply au is DNSKEY keytag 37976 Jun 06 10:15:24
> [dnsmasq] reply au is DNSKEY keytag 38218 Jun 06 10:15:24 [dnsmasq]
> reply conf.au is DS keytag 47617 - Last output repeated twice - Jun
> 06 10:15:24 [dnsmasq] dnssec-query[DS] linux.conf.au to 127.0.0.1 
> Jun 06 10:15:24 [dnsmasq] dnssec-query[DNSKEY] conf.au to
> 127.0.0.1 Jun 06 10:15:24 [dnsmasq] reply conf.au is DNSKEY keytag
> 62005 Jun 06 10:15:24 [dnsmasq] reply conf.au is DNSKEY keytag
> 14643 Jun 06 10:15:24 [dnsmasq] reply conf.au is DNSKEY keytag
> 53538 Jun 06 10:15:24 [dnsmasq] reply conf.au is DNSKEY keytag
> 47617 Jun 06 10:15:24 [dnsmasq] reply linux.conf.au is BOGUS DS Jun
> 06 10:15:24 [dnsmasq] validation linux.conf.au is BOGUS
> 
> When dnssec-check-unsigned is not set, it's correctly regarded as
> unsigned:
> 
> Jun 06 10:15:10 [dnsmasq] query[ANY] linux.conf.au from
> 192.168.3.138 Jun 06 10:15:10 [dnsmasq] forwarded linux.conf.au to
> 127.0.0.1 Jun 06 10:15:10 [dnsmasq] validation result is INSECURE
> 
> I'm not really sure who to blame here; linux.conf.au is the only
> domain I've seen this error for, but other resolvers (e.g. the
> Unbound which serves as upstream for my Dnsmasq) resolve it just
> fine. Dnsmasq with and without dnssec-check-unsigned, and Unbound,
> correctly reject dnssec-failed.org. 
> <URL:http://dnssec-debugger.verisignlabs.com/linux.conf.au> sees
> nothing strange about linux.conf.au either.
> 
dnssec-debugger.verisignlabs.com Does find a problem. There are no DS
records for linux.conf.au. Therefore there's no way to verify any
signatures for linux.conf.au and therefore nothing in linux.conf.au
can be validated.

However, the reply to the DS query for linux.conf.au  proves that no
DS records for linux.conf.au exist using NSEC3 records, and dnsmasq is
no liking that reply, which I think must be an error in dnsmasq, given
that other validators or happy. However, I can't see how the answer
completely proves the DS records for linux.conf.au don't exist, so
dnsmasq is just replicating my faulty understanding.

I'm taking advise on this. More later.

Cheers,

Simon.

> 
> 
> _______________________________________________ Dnsmasq-discuss
> mailing list Dnsmasq-discuss at lists.thekelleys.org.uk 
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iQIcBAEBCAAGBQJVc1vjAAoJEBXN2mrhkTWiMIEQAIDFho/tOEh+Z8ldK5f2G8xh
kbNJZmERoGquQD94DiBAGU2QSu64PhjQvjzGGEsUS7rTyWJkzYy5IOLhNQkcXXR8
rNd07KhC6h6wfBfu+KBl4z6gp3xgamm9YWM8nrvqDnmcdLH5osLFm/LCMKgXsM8T
l8r8ysKRP/2E4xffDWCOCWrdZG8uBCpz2hCn2a24NUsDxS2jvJDZinGDOtqql6Pe
HRmeCpt0fG1K+k3h9N13d5kPkeA7AMVyY9D043ILlHkfQDylc2cXCltZIGjDSoRq
CYWqmWO0dT4Ywewde5K0pmbbaVaxdN4LV7HZQ3ipeywW1QIZMj2EqG+4OHvT4L/J
AtXxMW9Fm0ssqHn6bVDt6Zyi9WyC16zG/MXm6AkE3xNkCMx5E87MXuZvCjFyM6fR
PWo2e7pf0d8moozak/lzXXQ9m2F7hYCCUvhCjSK/9CwWhyehN8/cQ4l33z9O/7kW
oEVaqYTcYif+AfdJgrS+sc6QMs+1F/Bfn+zU3L+ouyRGYrHyCD/fcBX0Jy4zVVv5
Zkl+j0ASZMVqAbXYkNRf/lYfbFSTK/rQXg3NbKqM94zlonmWoWEHev0UfnqRno+/
jEmfK8iF/b9QifFyTuvUhzc1hZxUm6Ls7ESEpkNNruXSeCumJ/XqSK+WHQy1G49x
oukFyIXiOujXmBAZ7Hlw
=jD9I
-----END PGP SIGNATURE-----