[Dnsmasq-discuss] DNSSEC failure with v2.73rc10

Toke Høiland-Jørgensen toke at toke.dk
Tue Sep 1 09:15:00 BST 2015


Toke Høiland-Jørgensen <toke at toke.dk> writes:

>> The two CNAME domains are signed, but the eurovps.com isnt.
>>
>> Hence the result of the A query is not validatable, and check-unsigned
>> has to prove that's OK, by showing that there's a secure denial of a DS
>> record covering the query
>
> Figured it probably had something to do with the transition from a
> signed to an unsigned domain.

So, I ran into this failure again on dnsmasq-2.75:

Sep 01 10:11:50 gauss dnsmasq[28718]: query[A] database.srku.dk from 10.42.8.5
Sep 01 10:11:50 gauss dnsmasq[28718]: forwarded database.srku.dk to ::1
Sep 01 10:11:51 gauss dnsmasq[28718]: dnssec-query[DNSKEY] srku.dk to ::1
Sep 01 10:11:51 gauss dnsmasq[28718]: dnssec-query[DS] srku.dk to ::1
Sep 01 10:11:51 gauss dnsmasq[28718]: dnssec-query[DNSKEY] dk to ::1
Sep 01 10:11:51 gauss dnsmasq[28718]: dnssec-query[DS] dk to ::1
Sep 01 10:11:51 gauss dnsmasq[28718]: reply dk is DS keytag 61294
Sep 01 10:11:51 gauss dnsmasq[28718]: reply dk is DNSKEY keytag 16800
Sep 01 10:11:51 gauss dnsmasq[28718]: reply dk is DNSKEY keytag 61294
Sep 01 10:11:51 gauss dnsmasq[28718]: reply dk is DNSKEY keytag 7203
Sep 01 10:11:51 gauss dnsmasq[28718]: reply srku.dk is DS keytag 2083
Sep 01 10:11:51 gauss dnsmasq[28718]: reply srku.dk is DNSKEY keytag 37065
Sep 01 10:11:51 gauss dnsmasq[28718]: reply srku.dk is DNSKEY keytag 2083
Sep 01 10:11:51 gauss dnsmasq[28718]: dnssec-query[DNSKEY] studenterraad.dk to ::1
Sep 01 10:11:51 gauss dnsmasq[28718]: dnssec-query[DS] studenterraad.dk to ::1
Sep 01 10:11:51 gauss dnsmasq[28718]: reply studenterraad.dk is DS keytag 12253
Sep 01 10:11:51 gauss dnsmasq[28718]: reply studenterraad.dk is DNSKEY keytag 36045
Sep 01 10:11:51 gauss dnsmasq[28718]: reply studenterraad.dk is DNSKEY keytag 12253
Sep 01 10:11:51 gauss dnsmasq[28718]: dnssec-query[DS] database.studenterraad.dk to ::1
Sep 01 10:11:51 gauss dnsmasq[28718]: validation database.srku.dk is BOGUS
Sep 01 10:11:51 gauss dnsmasq[28718]: reply database.srku.dk is <CNAME>
Sep 01 10:11:51 gauss dnsmasq[28718]: reply database.studenterraad.dk is <CNAME>
Sep 01 10:11:51 gauss dnsmasq[28718]: reply web21.sd.eurovps.com is 77.235.54.116


Turning off dnssec-check-unsigned makes the resolution succeed...

-Toke



More information about the Dnsmasq-discuss mailing list