[Dnsmasq-discuss] Failure on dnssec-check-unsigned for Cloudflare re-delegated domains

Toke Høiland-Jørgensen toke at toke.dk
Sun Jun 19 10:53:28 BST 2016


I recently moved one of my domains to Cloudflare DNS. This has caused
some issues with resolving through dnsmasq when dnssec-check-unsigned is
enabled. Cloudflare supports DNSSEC and resolving the hostnames directly
specified in their DNS works fine. The issue is with subdomains that are
re-delegated with a subsequent NS record (insecurely; to dnsmasq
instances, incidentally, but that's beside the point here).

I *think* that the issue is that the NSEC record for the subdomain
includes a spurious null byte:

$ host -t NSEC brohuset.milos.dk
brohuset.milos.dk has NSEC record brohuset\000.milos.dk. NS RRSIG NSEC

Dnsviz seems to think that the NSEC record matches, and that the
delegation is insecure (as expected). Although it gives a bunch of other
errors: http://dnsviz.net/d/brohuset.milos.dk/dnssec/


So I'm actually not sure if this is an issue with dnsmasq or if
Cloudflare's DNS is buggy. Unbound does seem to resolve the domain,
though.

This is with dnsmasq 2.76.

-Toke



More information about the Dnsmasq-discuss mailing list