[Dnsmasq-discuss] DNSSEC failure with v2.73rc10

Thu Jun 11 17:03:40 BST 2015

So I'm getting getting DNSSEC failures when trying to lookup the domain
'database.srku.dk'.

'dnssec' and 'dnssec-check-unsigned' are both enabled in the dnsmasq config.

The relevant dnsmasq log with log-queries enabled:

Jun 11 17:56:35 gauss dnsmasq[29455]: query[A] database.srku.dk from 10.42.8.5
Jun 11 17:56:35 gauss dnsmasq[29455]: forwarded database.srku.dk to ::1
Jun 11 17:56:35 gauss dnsmasq[29455]: dnssec-query[DNSKEY] srku.dk to ::1
Jun 11 17:56:35 gauss dnsmasq[29455]: dnssec-query[DS] srku.dk to ::1
Jun 11 17:56:35 gauss dnsmasq[29455]: reply srku.dk is DS keytag 2083
Jun 11 17:56:35 gauss dnsmasq[29455]: reply srku.dk is DNSKEY keytag 37065
Jun 11 17:56:35 gauss dnsmasq[29455]: reply srku.dk is DNSKEY keytag 2083
Jun 11 17:56:35 gauss dnsmasq[29455]: dnssec-query[DNSKEY] studenterraad.dk to ::1
Jun 11 17:56:35 gauss dnsmasq[29455]: dnssec-query[DS] studenterraad.dk to ::1
Jun 11 17:56:35 gauss dnsmasq[29455]: reply studenterraad.dk is DS keytag 12253
Jun 11 17:56:35 gauss dnsmasq[29455]: reply studenterraad.dk is DNSKEY keytag 12253
Jun 11 17:56:35 gauss dnsmasq[29455]: reply studenterraad.dk is DNSKEY keytag 36045
Jun 11 17:56:35 gauss dnsmasq[29455]: dnssec-query[DS] database.studenterraad.dk to ::1
Jun 11 17:56:35 gauss dnsmasq[29455]: reply database.studenterraad.dk is BOGUS DS
Jun 11 17:56:35 gauss dnsmasq[29455]: validation database.srku.dk is BOGUS
Jun 11 17:56:35 gauss dnsmasq[29455]: reply database.srku.dk is <CNAME>
Jun 11 17:56:35 gauss dnsmasq[29455]: reply database.studenterraad.dk is <CNAME>
Jun 11 17:56:35 gauss dnsmasq[29455]: reply web21.sd.eurovps.com is 77.235.54.116

Trying the query with dig seems to work:

$ dig +trace +dnssec database.studenterraad.dk @8.8.8.8

; <<>> DiG 9.9.2-P2 <<>> +trace +dnssec database.studenterraad.dk @8.8.8.8
;; global options: +cmd
.			3175	IN	NS	l.root-servers.net.
.			3175	IN	NS	j.root-servers.net.
.			3175	IN	NS	c.root-servers.net.
.			3175	IN	NS	f.root-servers.net.
.			3175	IN	NS	g.root-servers.net.
.			3175	IN	NS	b.root-servers.net.
.			3175	IN	NS	k.root-servers.net.
.			3175	IN	NS	d.root-servers.net.
.			3175	IN	NS	i.root-servers.net.
.			3175	IN	NS	a.root-servers.net.
.			3175	IN	NS	e.root-servers.net.
.			3175	IN	NS	m.root-servers.net.
.			3175	IN	NS	h.root-servers.net.
.			3175	IN	RRSIG	NS 8 0 518400 20150620170000 20150610160000 48613 . AVDPr19HNLu7NCcaE0NEJA++XTWfAzXdPe6x0uPW7ejcE62PAUl/MfEo FGM6+ogRDYFT0X0qpMhLhaUNtsqJ3drCZfRnlt7yZk7uS6QWXokqDE7j A6iyVF1C148QV5cEndaGpv2L6yS16zF3JUSJBhCtflrnjvrYNUQb27Iy WO4=
;; Received 397 bytes from 8.8.8.8#53(8.8.8.8) in 21 ms

dk.			172800	IN	NS	b.nic.dk.
dk.			172800	IN	NS	a.nic.dk.
dk.			172800	IN	NS	l.nic.dk.
dk.			172800	IN	NS	c.nic.dk.
dk.			172800	IN	NS	s.nic.dk.
dk.			172800	IN	NS	p.nic.dk.
dk.			86400	IN	DS	61294 8 2 7512ABC9F08F74085D4AEC9E7CC6DC402A689F146F9AAFDAE11FCE5D 3ADCA25E
dk.			86400	IN	RRSIG	DS 8 1 86400 20150621050000 20150611040000 48613 . MdgBbP0CuPMGNATQrtCEetXyGNzpAyxOPHWgwRUynnAhDcE62A+V10KD YWzADm9HynztDvJXUOehr3sNU5GGKKpUMlI81x3qo8UliNH6MBfBNoaN kaKOjeCt4+KH13CsbII5If1a5knH1NqdXIr7YASsYpf4c8nMLlfcsHZP Hf8=
;; Received 569 bytes from 192.228.79.201#53(192.228.79.201) in 190 ms

studenterraad.dk.	86400	IN	NS	ns2.gratisdns.dk.
studenterraad.dk.	86400	IN	NS	ns4.gratisdns.dk.
studenterraad.dk.	86400	IN	NS	ns5.gratisdns.dk.
studenterraad.dk.	86400	IN	NS	ns1.gratisdns.dk.
studenterraad.dk.	86400	IN	NS	ns3.gratisdns.dk.
studenterraad.dk.	7200	IN	DS	12253 5 1 225802A8082D4C8E6FA9F494DDB3A2689809FA7D
studenterraad.dk.	7200	IN	RRSIG	DS 8 2 7200 20150708024337 20150610020313 1804 dk. v1N9I/nBESCEQ7Sakcz+eriU4uWF41DUGq9pubjcsYe8n6THEdfWp4ds PKLp1MSV9RalAyspdjxp84He9QloRx0KIkgCy3EZX6RlrdK8miyzzyo7 7uNa5vzaJBNILz2V64H8dLqlk9fx3TBwQeAS6msZRdT4fV/VEs3STVMb xXVLj37+KgoehwtldZ3SgAr7fTJQYuGESsCH5YDwiCtU30h/Cen8SZFH YGW8BYazgBgG+fneRRluuPwHPrZBIpggq+Ump80uJWXLhduPEJ3gj8o4 5jtKAbvDrlpo8Ai/kmcyFJdRgDzGIJzRpl5KFjdlhkX2BnqoaYG08PZT vIt6AA==
;; Received 672 bytes from 2001:678:78:42:ad::53#53(2001:678:78:42:ad::53) in 36 ms

database.studenterraad.dk. 43200 IN	CNAME	web21.sd.eurovps.com.
database.studenterraad.dk. 43200 IN	RRSIG	CNAME 5 3 43200 20150711144201 20150611144201 36045 studenterraad.dk. czsVXeiOz5ZzMe830RUeMc6lT+ZsFDn6HzttyxvR2IXxeD3W4965JzA2 aTYWuW/Y3/W/7AHfC9vd6L0yi4HlBw==
;; Received 200 bytes from 2a02:9d0:3002:1::2#53(2a02:9d0:3002:1::2) in 14 ms

Is this a dnsmasq bug or is something else wrong? I can't seem to
resolve anything in the studenterraad.dk zone through dnsmasq.

-Toke