[Dnsmasq-discuss] reply is (false) BOGUS DS, validation result is BOGUS
ValdikSS
iam at valdikss.org.ru
Sat Nov 14 17:44:35 GMT 2015
Here's another person with the exact same problem
http://serverfault.com/questions/720293/dnsmasq-returns-false-bogus-result-for-dnssec-validation
On 14.11.2015 20:43, ValdikSS wrote:
> Hi!
> I have Debian Jessie with dnsmasq 2.72-3+deb8u1 configured with dnssec-check-unsigned.
> It works fine on 20+ servers but doesn't work on one, always replies with BOGUS validation result for all domains.
> I've confirmed that the problem is not in network or network tampering using VPN to that server and running dnsmasq on the laptop using ArchLinux, that works
> correctly, just as on other servers.
>
> # dnsmasq --port=5351 --server=217.31.204.130 --dnssec --dnssec-check-unsigned --proxy-dnssec
> --trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5 -d -i lo --no-resolv --cache-size=10000 --log-queries
> dnsmasq: started, version 2.72 cachesize 10000
> dnsmasq: compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC loop-detect
> dnsmasq: DNSSEC validation enabled
> dnsmasq: using nameserver 217.31.204.130#53
> dnsmasq: read /etc/hosts - 5 addresses
> dnsmasq: query[A] 2ip.ru from 127.0.0.1
> dnsmasq: forwarded 2ip.ru to 217.31.204.130
> dnsmasq: dnssec-query[DS] 2ip.ru to 217.31.204.130
> dnsmasq: dnssec-query[DNSKEY] ru to 217.31.204.130
> dnsmasq: dnssec-query[DS] ru to 217.31.204.130
> dnsmasq: dnssec-query[DNSKEY] . to 217.31.204.130
> dnsmasq: reply . is DNSKEY keytag 19036
> dnsmasq: reply . is DNSKEY keytag 62530
> dnsmasq: reply ru is DS keytag 9880
> dnsmasq: reply ru is DNSKEY keytag 54900
> dnsmasq: reply ru is DNSKEY keytag 9880
> dnsmasq: reply ru is DNSKEY keytag 30526
> dnsmasq: reply 2ip.ru is BOGUS DS
> dnsmasq: validation result is BOGUS
> dnsmasq: reply 2ip.ru is 178.63.151.224
>
> # dig -p5351 2ip.ru @127.0.0.1
>
> ; <<>> DiG 9.9.5-9+deb8u3-Debian <<>> -p5351 2ip.ru @127.0.0.1
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 12988
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;2ip.ru. IN A
>
> ;; Query time: 682 msec
> ;; SERVER: 127.0.0.1#5351(127.0.0.1)
> ;; WHEN: Fri Nov 13 23:27:59 MSK 2015
> ;; MSG SIZE rcvd: 35
>
> 217.31.204.130 is a CZ.NIC recursive server with working DNSSEC.
> I've checked library versions and apt-get upgraded that broken server, didn't help.
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 856 bytes
Desc: OpenPGP digital signature
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20151114/3b0d3dc3/attachment.sig>
More information about the Dnsmasq-discuss
mailing list