[Dnsmasq-discuss] Dnsmasq masks dnssec signatures for AAAA records when serving local A records for the same hostname

Simon Kelley simon at thekelleys.org.uk
Mon Jul 13 14:45:49 BST 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256



On 09/07/15 16:45, Felix Lechner wrote:
> Hello Simon,
> 
> What version of dnsmasq are you using?
>> 
> 
> Shibby's changelog states that an update to dnsmaq 2.72+ occurred
> in his Tomato version 1.25. Presumably that is also in the Tomato
> 1.28 on my router.
> 
> – dnsmasq 2.72+ up to December 9 2014 – thx @toastman
> 
> 
>> Are you saying that dnsmasq strips the signatures from the
>> answers which arrive from upstream?
>> 
> 
> Yes. My zone defines AAAA records for some local hosts behind NAT.
> Those records do not validate on local validating resolvers when
> using the Tomato router for DNS.
> 
> Quering dnsmasq shows the signatures are not forwarded. (Other
> record types such as SSH fingerprints are apparently also not
> forwarded.) The AAAA record is forwarded.

My best guess is that dnsmasq is answering the queries without ever
forwarding them to the upstream nameserver, because it has the
information to do that (from /etc/hosts or similar, or DHCP leases.)

Can you add --log-queries to the dnsmasq configuration. That will tell
us what's happening.


Cheers,

Simon.

> 
> dig @tomato-router -t any host-behind-nat-with-global-aaaa-record
> 
> shows the local A record and the global AAAA records, but no RRSIG,
> NSEC or SSHFP records.
> 
> dig @tomato-router -t any
> host-outside-nat-with-global-a-and-aaaa-records
> 
> shows global A, AAAA, RRSIG, NSEC and SSHFP records.
> 
> dig @authoritative-server -t any
> host-behind-nat-with-global-aaaa-record
> 
> shows global AAAA, RRSIG, NSEC and SSHFP records, but of course no
> local A record.
> 
> I could avoid the router for DNS, but then I lose the local A
> records, which I need because some devices autoconfigure via DHCP
> but do not support IPv6.
> 
> 
>> Do you have DNSSEC validation enabled in dnsmasq?
>> 
> 
> I don't think it would be enabled in Tomato. I did not modify the
> default configuration.
> 
> 
>> 
> 
> 
>> Cheers,
>> 
>> Simon.
>> 
>> 
>> On 30/06/15 04:07, Felix Lechner wrote:
>>> Hi,
>>> 
>>> My tomato router does not forward DNSSEC signatures for AAAA 
>>> records when also serving local A records for the same
>>> hostnames from DHCP.
>>> 
>>> A local validating resolver which uses dnsmasq for caching
>>> will then not show the AAAA records from the signed zone.
>>> 
>>> Can I turn off the local DHCP hostname resolution (or the 
>>> signature masking, if it is intentional), please?
>>> 
>>> Thank you!
>>> 
>>> Tomato firmware version is 1.28.
> 
> 
> 
> _______________________________________________ Dnsmasq-discuss
> mailing list Dnsmasq-discuss at lists.thekelleys.org.uk 
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJVo8ENAAoJEBXN2mrhkTWir0QP/0N2pUBDC4r41PBzTj7B6qbv
8RAaH1YLrMuINdCw2gMvyw54CNOlvICFl+cq2g5WX98cU5GHw3X8YKxm+Uk1v0tH
aqkqgUjofcnE1NKZ3VRX9SW/cEE/H2N7H3pHvVWrNcEHLG+zhr8VfGOQ6e6JyGLs
TylnkasMmPPUr8zyGNJtiZRYtEra76XbHRwX5w/9/B94whL8j8oYxEepEnDmKQqu
mmDh0CK9vMW1Q98fEafs95u5bAZFuAu/pWQf+KvjVnZ4OQCTOpjrGCAjEQm97VDa
IXJCY2dnBNjXz11reqtS6X85WUJaZy64RiaD9fXOPrQnzO3yKYG4yJ+gTa8QukHu
R0hL9DZsK8MoUPOMBuN2vGFzfAip+Nfc8Rws26Eqke1+X+ReHF9jVa5tk4Exj3cP
5WypbmALSuSXW4QIhDXfY9yOQLWQi/fRF6SvTCC5cyfSn2w4zjOgXFR72c2tlgkc
Zmi/2ND321m/mIDKQ/ZDDDDKxsovC7swNX/ZJA3YJLd+UNhC7RRJTATn9r65SrJf
Jhrn9/WvLQJKsLxCeS9RJcq+lilw5KhG3Xje2aYvh+6dHPPwTOO/XbxO2+LsX2CG
EwrZcw2UMwDwZSQemfxbFhLYFtXd9C83CK5JFu9XisFvkFSXrb9I/55rlYgxE1as
igMN7sT7SJ08uN0QwV2k
=8sMk
-----END PGP SIGNATURE-----



More information about the Dnsmasq-discuss mailing list