[Dnsmasq-discuss] Dnsmasq masks dnssec signatures for AAAA records when serving local A records for the same hostname

Felix Lechner felix.lechner at gmail.com
Thu Jul 9 16:45:43 BST 2015


 Hello Simon,

What version of dnsmasq are you using?
>

Shibby's changelog states that an update to dnsmaq 2.72+ occurred in his
Tomato version 1.25. Presumably that is also in the Tomato 1.28 on my
router.

 – dnsmasq 2.72+ up to December 9 2014 – thx @toastman


> Are you saying that dnsmasq strips the signatures from the answers
> which arrive from upstream?
>

Yes. My zone defines AAAA records for some local hosts behind NAT. Those
records do not validate on local validating resolvers when using the Tomato
router for DNS.

Quering dnsmasq shows the signatures are not forwarded. (Other record types
such as SSH fingerprints are apparently also not forwarded.) The AAAA
record is forwarded.

dig @tomato-router -t any host-behind-nat-with-global-aaaa-record

shows the local A record and the global AAAA records, but no RRSIG, NSEC or
SSHFP records.

dig @tomato-router -t any host-outside-nat-with-global-a-and-aaaa-records

shows global A, AAAA, RRSIG, NSEC and SSHFP records.

dig @authoritative-server -t any host-behind-nat-with-global-aaaa-record

shows global AAAA, RRSIG, NSEC and SSHFP records, but of course no local A
record.

I could avoid the router for DNS, but then I lose the local A records,
which I need because some devices autoconfigure via DHCP but do not support
IPv6.


> Do you have DNSSEC validation enabled in dnsmasq?
>

I don't think it would be enabled in Tomato. I did not modify the default
configuration.


>


> Cheers,
>
> Simon.
>
>
> On 30/06/15 04:07, Felix Lechner wrote:
> > Hi,
> >
> > My tomato router does not forward DNSSEC signatures for AAAA
> > records when also serving local A records for the same hostnames
> > from DHCP.
> >
> > A local validating resolver which uses dnsmasq for caching will
> > then not show the AAAA records from the signed zone.
> >
> > Can I turn off the local DHCP hostname resolution (or the
> > signature masking, if it is intentional), please?
> >
> > Thank you!
> >
> > Tomato firmware version is 1.28.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20150709/de74d5f1/attachment.html>


More information about the Dnsmasq-discuss mailing list