[Dnsmasq-discuss] reply is (false) BOGUS DS, validation result is BOGUS

ValdikSS iam at valdikss.org.ru
Sat Nov 14 17:43:52 GMT 2015 

Hi!
I have Debian Jessie with dnsmasq 2.72-3+deb8u1 configured with dnssec-check-unsigned.
It works fine on 20+ servers but doesn't work on one, always replies with BOGUS validation result for all domains.
I've confirmed that the problem is not in network or network tampering using VPN to that server and running dnsmasq on the laptop using ArchLinux, that works
correctly, just as on other servers.

# dnsmasq --port=5351 --server=217.31.204.130 --dnssec --dnssec-check-unsigned --proxy-dnssec
--trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5 -d -i lo --no-resolv --cache-size=10000 --log-queries
dnsmasq: started, version 2.72 cachesize 10000
dnsmasq: compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC loop-detect
dnsmasq: DNSSEC validation enabled
dnsmasq: using nameserver 217.31.204.130#53
dnsmasq: read /etc/hosts - 5 addresses
dnsmasq: query[A] 2ip.ru from 127.0.0.1
dnsmasq: forwarded 2ip.ru to 217.31.204.130
dnsmasq: dnssec-query[DS] 2ip.ru to 217.31.204.130
dnsmasq: dnssec-query[DNSKEY] ru to 217.31.204.130
dnsmasq: dnssec-query[DS] ru to 217.31.204.130
dnsmasq: dnssec-query[DNSKEY] . to 217.31.204.130
dnsmasq: reply . is DNSKEY keytag 19036
dnsmasq: reply . is DNSKEY keytag 62530
dnsmasq: reply ru is DS keytag 9880
dnsmasq: reply ru is DNSKEY keytag 54900
dnsmasq: reply ru is DNSKEY keytag 9880
dnsmasq: reply ru is DNSKEY keytag 30526
dnsmasq: reply 2ip.ru is BOGUS DS
dnsmasq: validation result is BOGUS
dnsmasq: reply 2ip.ru is 178.63.151.224

# dig -p5351 2ip.ru @127.0.0.1

; <<>> DiG 9.9.5-9+deb8u3-Debian <<>> -p5351 2ip.ru @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 12988
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;2ip.ru.                IN    A

;; Query time: 682 msec
;; SERVER: 127.0.0.1#5351(127.0.0.1)
;; WHEN: Fri Nov 13 23:27:59 MSK 2015
;; MSG SIZE  rcvd: 35

217.31.204.130 is a CZ.NIC recursive server with working DNSSEC.
I've checked library versions and apt-get upgraded that broken server, didn't help.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 856 bytes
Desc: OpenPGP digital signature
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20151114/0c3ae075/attachment.sig>

More information about the Dnsmasq-discuss mailing list