[Dnsmasq-discuss] Cannot resolve csail.mit.edu with --dnssec
Anders Kaseorg
andersk at mit.edu
Fri Jul 17 10:54:04 BST 2015
csail.mit.edu is a signed zone inside the unsigned mit.edu zone. (It
happens to be registered in dlv.isc.org, but that’s not relevant to
dnsmasq.) Since an NSEC3 record in edu verifies that mit.edu is
unsigned, this should be fine. However, dnsmasq thinks that everything
in csail.mit.edu is BOGUS and returns SERVFAIL. This occurs even
without --dnssec-check-unsigned.
Log output from current master:
$ make COPTS='-DHAVE_DNSSEC'
$ src/dnsmasq -d --log-queries=extra --dnssec -C trust-anchors.conf -R
-S 8.8.8.8
dnsmasq: started, version 2.74rc3 cachesize 150
dnsmasq: compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN
DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth DNSSEC loop-detect inotify
dnsmasq: DNSSEC validation enabled
dnsmasq: using nameserver 8.8.8.8#53
dnsmasq: read /etc/hosts - 7 addresses
dnsmasq: 1 127.0.0.1/42010 query[A] csail.mit.edu from 127.0.0.1
dnsmasq: 1 127.0.0.1/42010 forwarded csail.mit.edu to 8.8.8.8
dnsmasq: * 127.0.0.1/42010 dnssec-query[DNSKEY] csail.mit.edu to 8.8.8.8
dnsmasq: * 127.0.0.1/42010 dnssec-query[DS] csail.mit.edu to 8.8.8.8
dnsmasq: 1 127.0.0.1/42010 validation csail.mit.edu is BOGUS
dnsmasq: 1 127.0.0.1/42010 reply csail.mit.edu is 128.30.2.121
Some quick debugging shows that the translation from STAT_NO_SIG to
STAT_BOGUS occurs here at src/forward.c:854:
else if (status == STAT_NO_NS || status == STAT_NO_SIG)
status = STAT_BOGUS;
git bisect blames commit 97e618a0e3f29465acc689d87288596b006f197e
“DNSSEC: do top-down search for limit of secure delegation.” (For what
it’s worth, I know you put a lot of work into that commit at my
suggestion, so I don’t want to sound ungrateful or anything!)
Anders
More information about the Dnsmasq-discuss
mailing list