[Dnsmasq-discuss] dnssec-check-unsigned failure with v2.73rc9
Maciej Soltysiak
maciej at soltysiak.com
Fri Jun 12 09:19:38 BST 2015
Hi,
One of my users raised an issue that using.dnscrypt.pl does not resolve
when dnssec-check-unsigned is turned on.
I replicated the issue with most recent openwrt Chaos Calmer package:
dnsmasq-full.
When dnssec and trust anhcor are set and dnssec-check-unsigned is as well,
dnsmasq says BOGUS DS:
Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: query[A]
using.dnscrypt.pl from fdea:7beb:d9e3:0:d928:e795:8461:1896
Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: forwarded
using.dnscrypt.pl to 127.0.0.1
Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: dnssec-query[DS]
using.dnscrypt.pl to 127.0.0.1
Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: reply using.dnscrypt.pl
is BOGUS DS
Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: validation
using.dnscrypt.pl is BOGUS
Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: reply using.dnscrypt.pl
is 178.62.233.48
Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: query[A]
using.dnscrypt.pl from 192.168.1.206
Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: forwarded
using.dnscrypt.pl to 127.0.0.1
Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: query[A]
using.dnscrypt.pl from fdea:7beb:d9e3:0:d928:e795:8461:1896
Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: forwarded
using.dnscrypt.pl to 127.0.0.1
Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: dnssec-query[DS]
using.dnscrypt.pl to 127.0.0.1
Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: dnssec-query[DS]
using.dnscrypt.pl to 127.0.0.1
Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: reply using.dnscrypt.pl
is BOGUS DS
Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: validation
using.dnscrypt.pl is BOGUS
Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: reply using.dnscrypt.pl
is 178.62.233.48
Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: reply using.dnscrypt.pl
is BOGUS DS
Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: validation
using.dnscrypt.pl is BOGUS
Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: reply using.dnscrypt.pl
is 178.62.233.48
Verisign dnssec check are ok:
http://dnssec-debugger.verisignlabs.com/using.dnscrypt.pl
Oddly, dnscrypt.pl resolves fine. It also works fine if
dnssec-check-unsigned is turned off.
Not sure if rc10 fixes it, it's not in openwrt repo yet.
Any ideas?
Best regards,
Maciej Soltysiak
DNSCrypt Poland
https://dnscrypt.pl
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20150612/3a2e94ee/attachment-0001.html>
More information about the Dnsmasq-discuss
mailing list