[Dnsmasq-discuss] Wildcard Domain resolving does not work with DNSSEC

Uwe Schindler uwe at thetaphi.de
Mon Jan 4 14:48:46 GMT 2016 

Hi,

I found out that resolving of DNSSEC signed wildcard domains does not work correctly with dnsmasq. I think the problem is that it looks for a signature of the requested domain name and not the wildcard.

The following fails:

$ dig issues.pangaea.de

; <<>> DiG 9.9.5-9+deb8u4-Debian <<>> issues.pangaea.de
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 59252
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;issues.pangaea.de.             IN      A

;; Query time: 18 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Jan 04 15:43:42 CET 2016
;; MSG SIZE  rcvd: 46


The reason is: "issues.pangaea.de" is covered by a star domain "*.pangaea.de" that is correctly signed (tested from another server - not using dnsmasq):

$ dig +dnssec *.pangaea.de

; <<>> DiG 9.8.1-P1 <<>> +dnssec '*.pangaea.de'
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8436
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;*.pangaea.de.                  IN      A

;; ANSWER SECTION:
*.pangaea.de.           28790   IN      A       134.1.2.171
*.pangaea.de.           28790   IN      RRSIG   A 7 2 28800 20160109144508 20151226151023 12714 pangaea.de. jwQUt4OJRlBEE3PUF6cEWJA6gOLWPpBWYbJHLIkR4tdGJh/kmtOk7T9Q MlSbChj51bhkV6oCQ++OhrsogYJ9qFpcVz8kVlEEfs08/Z1kNBe/dg3m HaAiyVVwONdyfe6dSfcYR3ZrH1PBWuxHDdbO8zGI8xGThSuZiIi1WEFC L64=

;; AUTHORITY SECTION:
pangaea.de.             28790   IN      NS      ns2.domaindiscount24.net.
pangaea.de.             28790   IN      NS      ns3.domaindiscount24.net.
pangaea.de.             28790   IN      NS      ns1.domaindiscount24.net.
pangaea.de.             28790   IN      RRSIG   NS 7 2 28800 20160109071640 20151226151023 12714 pangaea.de. l7sVnSXwN21lXvsANvjVxGyeh3c3rxlmg3ctfAShdvZpS/otk7L/HN8p O3sSJ83HFfl7QAmfoF/P3cy2yilmykJv3von/ojzXVeS3tpTAUzfALql maoKds12FcjyLVJDgEzi0xKG/DTmm2KG1bZHzXPzMVb4beZnzFN5twLK W+g=

;; Query time: 0 msec
;; SERVER: 85.25.128.10#53(85.25.128.10)
;; WHEN: Mon Jan  4 14:42:43 2016
;; MSG SIZE  rcvd: 471

How should this be solved? This is another one where dnssec fails, so clearly a bug.

There is a test page about exactly that case, which fails for me when resolving through dnsmasq: http://0skar.cz/dns/en/

Uwe

-----
Uwe Schindler
H.-H.-Meier-Allee 63, D-28213 Bremen
http://www.thetaphi.de
eMail: uwe at thetaphi.de

More information about the Dnsmasq-discuss mailing list