[Dnsmasq-discuss] dnssec-check-unsigned failure with v2.73rc9
Maciej Soltysiak
maciej at soltysiak.com
Fri Jun 12 12:16:09 BST 2015
I think I have discovered what the problem is and it's unlikely to be
dnsmasq.
What I do is that I have a setup which is basically a split horizon:
- users who are not on the service get A record for using.dnscrypt from a
DNSSEC signed zone
- users who are on the service get *a different* A record for
using.dnscrypt.pl from unbound, without sigs!
A user on my service, who has dnssec-check-unsigned enabled gets an
unsigned response from a signed zone and the intended reaction of dnsmasq
kicks in.
Not a bug then. Is my understanding correct?
Best regards,
Maciej
On Fri, Jun 12, 2015 at 10:19 AM, Maciej Soltysiak <maciej at soltysiak.com>
wrote:
> Hi,
>
> One of my users raised an issue that using.dnscrypt.pl does not resolve
> when dnssec-check-unsigned is turned on.
> I replicated the issue with most recent openwrt Chaos Calmer package:
> dnsmasq-full.
>
> When dnssec and trust anhcor are set and dnssec-check-unsigned is as well,
> dnsmasq says BOGUS DS:
> Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: query[A]
> using.dnscrypt.pl from fdea:7beb:d9e3:0:d928:e795:8461:1896
> Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: forwarded
> using.dnscrypt.pl to 127.0.0.1
> Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: dnssec-query[DS]
> using.dnscrypt.pl to 127.0.0.1
> Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: reply
> using.dnscrypt.pl is BOGUS DS
> Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: validation
> using.dnscrypt.pl is BOGUS
> Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: reply
> using.dnscrypt.pl is 178.62.233.48
> Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: query[A]
> using.dnscrypt.pl from 192.168.1.206
> Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: forwarded
> using.dnscrypt.pl to 127.0.0.1
> Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: query[A]
> using.dnscrypt.pl from fdea:7beb:d9e3:0:d928:e795:8461:1896
> Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: forwarded
> using.dnscrypt.pl to 127.0.0.1
> Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: dnssec-query[DS]
> using.dnscrypt.pl to 127.0.0.1
> Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: dnssec-query[DS]
> using.dnscrypt.pl to 127.0.0.1
> Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: reply
> using.dnscrypt.pl is BOGUS DS
> Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: validation
> using.dnscrypt.pl is BOGUS
> Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: reply
> using.dnscrypt.pl is 178.62.233.48
> Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: reply
> using.dnscrypt.pl is BOGUS DS
> Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: validation
> using.dnscrypt.pl is BOGUS
> Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: reply
> using.dnscrypt.pl is 178.62.233.48
>
> Verisign dnssec check are ok:
> http://dnssec-debugger.verisignlabs.com/using.dnscrypt.pl
>
> Oddly, dnscrypt.pl resolves fine. It also works fine if
> dnssec-check-unsigned is turned off.
>
> Not sure if rc10 fixes it, it's not in openwrt repo yet.
> Any ideas?
>
> Best regards,
> Maciej Soltysiak
> DNSCrypt Poland
> https://dnscrypt.pl
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20150612/ffbbd029/attachment.html>
More information about the Dnsmasq-discuss
mailing list