[Dnsmasq-discuss] reply is (false) BOGUS DS, validation result is BOGUS

Simon Kelley simon at thekelleys.org.uk
Sat Nov 14 19:26:28 GMT 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

2.72 is along time ago on the rocky road to correct DNSSEC. There have
been many fixes since then. I just tried the current development code
on the server 217.31.204.13, checking 2ip.ru and it seems we get it
right now.

dnsmasq: started, version 2.76test1-14-g41a8d9e cachesize 150
dnsmasq: compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN
DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth DNSSEC loop-detect inoti
fy
dnsmasq: DNSSEC validation enabled
dnsmasq: using nameserver 217.31.204.130#53
dnsmasq: read /etc/hosts - 7 addresses
dnsmasq: query[A] 2ip.ru from 127.0.0.1
dnsmasq: forwarded 2ip.ru to 217.31.204.130
dnsmasq: dnssec-query[DS] ru to 217.31.204.130
dnsmasq: dnssec-query[DNSKEY] . to 217.31.204.130
dnsmasq: reply . is DNSKEY keytag 62530
dnsmasq: reply . is DNSKEY keytag 19036
dnsmasq: reply ru is DS keytag 9880
dnsmasq: dnssec-query[DS] 2ip.ru to 217.31.204.130
dnsmasq: dnssec-query[DNSKEY] ru to 217.31.204.130
dnsmasq: reply ru is DNSKEY keytag 54900
dnsmasq: reply ru is DNSKEY keytag 9880
dnsmasq: reply ru is DNSKEY keytag 30526
dnsmasq: reply 2ip.ru is no DS
dnsmasq: validation result is INSECURE
dnsmasq: reply 2ip.ru is 178.63.151.224

So best suggestion is to move to 2.75, or wait for 2.76.


Cheers,

Simon.


On 14/11/15 17:43, ValdikSS wrote:
> Hi! I have Debian Jessie with dnsmasq 2.72-3+deb8u1 configured with
> dnssec-check-unsigned. It works fine on 20+ servers but doesn't
> work on one, always replies with BOGUS validation result for all
> domains. I've confirmed that the problem is not in network or
> network tampering using VPN to that server and running dnsmasq on
> the laptop using ArchLinux, that works correctly, just as on other
> servers.
> 
> # dnsmasq --port=5351 --server=217.31.204.130 --dnssec
> --dnssec-check-unsigned --proxy-dnssec 
> --trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A4185520
0FD2CE1CDDE32F24E8FB5
> -d -i lo --no-resolv --cache-size=10000 --log-queries dnsmasq:
> started, version 2.72 cachesize 10000 dnsmasq: compile time
> options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua TFTP
> conntrack ipset auth DNSSEC loop-detect dnsmasq: DNSSEC validation
> enabled dnsmasq: using nameserver 217.31.204.130#53 dnsmasq: read
> /etc/hosts - 5 addresses dnsmasq: query[A] 2ip.ru from 127.0.0.1 
> dnsmasq: forwarded 2ip.ru to 217.31.204.130 dnsmasq:
> dnssec-query[DS] 2ip.ru to 217.31.204.130 dnsmasq:
> dnssec-query[DNSKEY] ru to 217.31.204.130 dnsmasq: dnssec-query[DS]
> ru to 217.31.204.130 dnsmasq: dnssec-query[DNSKEY] . to
> 217.31.204.130 dnsmasq: reply . is DNSKEY keytag 19036 dnsmasq:
> reply . is DNSKEY keytag 62530 dnsmasq: reply ru is DS keytag 9880 
> dnsmasq: reply ru is DNSKEY keytag 54900 dnsmasq: reply ru is
> DNSKEY keytag 9880 dnsmasq: reply ru is DNSKEY keytag 30526 
> dnsmasq: reply 2ip.ru is BOGUS DS dnsmasq: validation result is
> BOGUS dnsmasq: reply 2ip.ru is 178.63.151.224
> 
> # dig -p5351 2ip.ru @127.0.0.1
> 
> ; <<>> DiG 9.9.5-9+deb8u3-Debian <<>> -p5351 2ip.ru @127.0.0.1 ;;
> global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY,
> status: SERVFAIL, id: 12988 ;; flags: qr rd ra; QUERY: 1, ANSWER:
> 0, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;;
> QUESTION SECTION: ;2ip.ru.                IN    A
> 
> ;; Query time: 682 msec ;; SERVER: 127.0.0.1#5351(127.0.0.1) ;;
> WHEN: Fri Nov 13 23:27:59 MSK 2015 ;; MSG SIZE  rcvd: 35
> 
> 217.31.204.130 is a CZ.NIC recursive server with working DNSSEC. 
> I've checked library versions and apt-get upgraded that broken
> server, didn't help.
> 
> 
> 
> 
> _______________________________________________ Dnsmasq-discuss
> mailing list Dnsmasq-discuss at lists.thekelleys.org.uk 
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iQIcBAEBCAAGBQJWR4rkAAoJEBXN2mrhkTWi90YP/3gUZRRuE6a0I/NDwMMl9VLd
OOehf+na2HOzThe1N0tuE2h/EQTPbQLQ6InzbEPeg0sEpuAsUaJJtaBVGtrFHYIU
onvbxocJg3sP09KG9nE6dBoDEIsycdBdIw+EVRqBfEMQMF2p3aZ+m3xKNzT1EDgw
6r21aNBdjR3H4y5JT9GllxhVaUN8WaBShPvapDpVFd28TKElg5pRlAhhEeZjjS7X
e2UEHh74rgrsKpJPM5yONOy9NZXmO9CD2pQxja4jvOVOAxACFB4igasii3KFJral
nP5jrlNscbXZtDzYcGUe8/A4Q3/osFuAHGE3M3NtkXm9GtKgEZm8vFmH23ul94KW
7VEU4jUB3RNGuZxAcbZZTW0hz7wwWc9SJe628cgfzAPscAvRpF2F/5vyTJXGiB5v
0YUg+S59CloB44HvRvGO6S+iYMeDMa9qtBEo0cjWmlSFzY+cTWy1rTBtyzsY4n0r
k70OFKLcWJMeJW8DsyFr3IPfGZc8mx+AN/WtJvhxP2G3tore6M7RNmj6423IFp6g
zQ8orPYC3enGQYf9uIj6qx1weyif4gYDKS8PpWYMFQ5/yCGkjBoVXfAq9nviUcX4
hJTzQXf2wvS1FXixuIe2vpvNMBcDRG9JVT8UvlLAYajuH+UnWOgGKpgjepEYWJ/w
3NK7qtsBGq9u3xhjymUG
=fKdx
-----END PGP SIGNATURE-----



More information about the Dnsmasq-discuss mailing list