[Dnsmasq-discuss] Cannot resolve csail.mit.edu with --dnssec

Simon Kelley simon at thekelleys.org.uk
Fri Jul 17 12:52:35 BST 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Looking at the contents of the DNS, csail.mit.edu arrives with a
signature against a non-existent key for csail.mit.edu. Dnsmasq seems
to be barfing at that point, without checking to see if unsigned
records are legit there. Another corner case.

No problem with looking at this: I'd rather know about problems:
especially as I've no way of doing comprehensive testing at he moment.
Live reports are the best I can do.

Cheers,

Simon.


On 17/07/15 10:54, Anders Kaseorg wrote:
> csail.mit.edu is a signed zone inside the unsigned mit.edu zone.
> (It happens to be registered in dlv.isc.org, but that’s not
> relevant to dnsmasq.)  Since an NSEC3 record in edu verifies that
> mit.edu is unsigned, this should be fine.  However, dnsmasq thinks
> that everything in csail.mit.edu is BOGUS and returns SERVFAIL.
> This occurs even without --dnssec-check-unsigned.
> 
> Log output from current master:
> 
> $ make COPTS='-DHAVE_DNSSEC' $ src/dnsmasq -d --log-queries=extra
> --dnssec -C trust-anchors.conf -R -S 8.8.8.8 dnsmasq: started,
> version 2.74rc3 cachesize 150 dnsmasq: compile time options: IPv6
> GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP
> no-conntrack ipset auth DNSSEC loop-detect inotify dnsmasq: DNSSEC
> validation enabled dnsmasq: using nameserver 8.8.8.8#53 dnsmasq:
> read /etc/hosts - 7 addresses dnsmasq: 1 127.0.0.1/42010 query[A]
> csail.mit.edu from 127.0.0.1 dnsmasq: 1 127.0.0.1/42010 forwarded
> csail.mit.edu to 8.8.8.8 dnsmasq: * 127.0.0.1/42010
> dnssec-query[DNSKEY] csail.mit.edu to 8.8.8.8 dnsmasq: *
> 127.0.0.1/42010 dnssec-query[DS] csail.mit.edu to 8.8.8.8 dnsmasq:
> 1 127.0.0.1/42010 validation csail.mit.edu is BOGUS dnsmasq: 1
> 127.0.0.1/42010 reply csail.mit.edu is 128.30.2.121
> 
> Some quick debugging shows that the translation from STAT_NO_SIG
> to STAT_BOGUS occurs here at src/forward.c:854:
> 
> else if (status == STAT_NO_NS || status == STAT_NO_SIG) status =
> STAT_BOGUS;
> 
> git bisect blames commit 97e618a0e3f29465acc689d87288596b006f197e 
> “DNSSEC: do top-down search for limit of secure delegation.”  (For
> what it’s worth, I know you put a lot of work into that commit at
> my suggestion, so I don’t want to sound ungrateful or anything!)
> 
> Anders
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJVqOyCAAoJEBXN2mrhkTWi/9UP/26LkCTAwmDszLZI+RPfnHzU
maiI8e/zPpoPENuf1opaNCZx5qrZpNh7qnVhs7n51R6FfQ20O6wRcXMaW8idOrcj
HL4LRmRty2QwFNtj40LZEZhAZ2mkhJYl56v6NtarJiB6qShkqSh3WEqX1tGJEv6n
CfT4RqjFDH+V8xxAwDh1uY0sVNCFQmfp2yONB9InBDeiRAbchaVzsMhiAFtPz4As
vlnIIxQtAlBGmwSpMJ4oQWSJ66h02Ne2OzCZi05CkmY3f3OZVze8jypGq8hFAgIJ
zVJkXnK4JEgfTQn6cefX7jLfd+Xh4EBAUBjZ8Y1x1L64Ee11sMfM+xzmsgz2eo01
JmfSbE619QHJzLXm0Oj6MmVlmfcPOx5tfi3QgdMmWxv36zOQ+XBZ2vaJHVew5ogi
Y1SwlrSUlXwFknIm6qU/sx7uusAGYXYTak9r1PYZ20m1ysZ0rxUdY8N1Io4W82Oa
VV6C9kkHDNCgL9kE6bptnBUdj1D4RT1bg6hQkUqcWFGfu+9aDEKrY7f3EYrlj87z
W96Q/obaLkP4zYTdmFNYqxzxJlMp5/H2jmBlfp0UCACiGI5w+WBviZtEd5G6j7gK
LU8YiEBXKJ5nDdN2I4d5/8+rqH0yxpOcY25UhVHpnxSkJfq4Yi+brH/GMYlp8Y7G
GQg5bFxHTExR+M5XdxYh
=ctcs
-----END PGP SIGNATURE-----



More information about the Dnsmasq-discuss mailing list