[Dnsmasq-discuss] Wildcard Domain resolving does not work with DNSSEC

Uwe Schindler uwe at thetaphi.de
Mon Jan 4 14:57:12 GMT 2016 

Please note:
I fixed the example domain to have a real A record. Try any other fake name instead:
e.g., "dummy.pangaea.de", also referring to wildcard domain.

Uwe

-----
Uwe Schindler
H.-H.-Meier-Allee 63, D-28213 Bremen
http://www.thetaphi.de
eMail: uwe at thetaphi.de

> -----Original Message-----
> From: Uwe Schindler [mailto:uwe at thetaphi.de]
> Sent: Monday, January 04, 2016 3:49 PM
> To: dnsmasq-discuss at lists.thekelleys.org.uk
> Subject: Wildcard Domain resolving does not work with DNSSEC
> 
> Hi,
> 
> I found out that resolving of DNSSEC signed wildcard domains does not work
> correctly with dnsmasq. I think the problem is that it looks for a signature of
> the requested domain name and not the wildcard.
> 
> The following fails:
> 
> $ dig issues.pangaea.de
> 
> ; <<>> DiG 9.9.5-9+deb8u4-Debian <<>> issues.pangaea.de
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 59252
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;issues.pangaea.de.             IN      A
> 
> ;; Query time: 18 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Mon Jan 04 15:43:42 CET 2016
> ;; MSG SIZE  rcvd: 46
> 
> 
> The reason is: "issues.pangaea.de" is covered by a star domain
> "*.pangaea.de" that is correctly signed (tested from another server - not
> using dnsmasq):
> 
> $ dig +dnssec *.pangaea.de
> 
> ; <<>> DiG 9.8.1-P1 <<>> +dnssec '*.pangaea.de'
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8436
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;*.pangaea.de.                  IN      A
> 
> ;; ANSWER SECTION:
> *.pangaea.de.           28790   IN      A       134.1.2.171
> *.pangaea.de.           28790   IN      RRSIG   A 7 2 28800 20160109144508
> 20151226151023 12714 pangaea.de.
> jwQUt4OJRlBEE3PUF6cEWJA6gOLWPpBWYbJHLIkR4tdGJh/kmtOk7T9Q
> MlSbChj51bhkV6oCQ++OhrsogYJ9qFpcVz8kVlEEfs08/Z1kNBe/dg3m
> HaAiyVVwONdyfe6dSfcYR3ZrH1PBWuxHDdbO8zGI8xGThSuZiIi1WEFC L64=
> 
> ;; AUTHORITY SECTION:
> pangaea.de.             28790   IN      NS      ns2.domaindiscount24.net.
> pangaea.de.             28790   IN      NS      ns3.domaindiscount24.net.
> pangaea.de.             28790   IN      NS      ns1.domaindiscount24.net.
> pangaea.de.             28790   IN      RRSIG   NS 7 2 28800 20160109071640
> 20151226151023 12714 pangaea.de.
> l7sVnSXwN21lXvsANvjVxGyeh3c3rxlmg3ctfAShdvZpS/otk7L/HN8p
> O3sSJ83HFfl7QAmfoF/P3cy2yilmykJv3von/ojzXVeS3tpTAUzfALql
> maoKds12FcjyLVJDgEzi0xKG/DTmm2KG1bZHzXPzMVb4beZnzFN5twLK W+g=
> 
> ;; Query time: 0 msec
> ;; SERVER: 85.25.128.10#53(85.25.128.10)
> ;; WHEN: Mon Jan  4 14:42:43 2016
> ;; MSG SIZE  rcvd: 471
> 
> How should this be solved? This is another one where dnssec fails, so clearly
> a bug.
> 
> There is a test page about exactly that case, which fails for me when
> resolving through dnsmasq: http://0skar.cz/dns/en/
> 
> Uwe
> 
> -----
> Uwe Schindler
> H.-H.-Meier-Allee 63, D-28213 Bremen
> http://www.thetaphi.de
> eMail: uwe at thetaphi.de
>

More information about the Dnsmasq-discuss mailing list