[Dnsmasq-discuss] Failure on dnssec-check-unsigned for Cloudflare re-delegated domains

Simon Kelley simon at thekelleys.org.uk
Thu Jul 7 22:18:13 BST 2016


On 19/06/16 10:53, Toke Høiland-Jørgensen wrote:
> I recently moved one of my domains to Cloudflare DNS. This has caused
> some issues with resolving through dnsmasq when dnssec-check-unsigned is
> enabled. Cloudflare supports DNSSEC and resolving the hostnames directly
> specified in their DNS works fine. The issue is with subdomains that are
> re-delegated with a subsequent NS record (insecurely; to dnsmasq
> instances, incidentally, but that's beside the point here).
> 
> I *think* that the issue is that the NSEC record for the subdomain
> includes a spurious null byte:
> 
> $ host -t NSEC brohuset.milos.dk
> brohuset.milos.dk has NSEC record brohuset\000.milos.dk. NS RRSIG NSEC
> 
> Dnsviz seems to think that the NSEC record matches, and that the
> delegation is insecure (as expected). Although it gives a bunch of other
> errors: http://dnsviz.net/d/brohuset.milos.dk/dnssec/
> 
> 
> So I'm actually not sure if this is an issue with dnsmasq or if
> Cloudflare's DNS is buggy. Unbound does seem to resolve the domain,
> though.

Well, whatever it's done, it confuses google public DNS too:


srk at holly:~$ dig @8.8.8.8 +dnssec DS brohuset.milos.dk

; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> @8.8.8.8 +dnssec DS
brohuset.milos.dk
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 6301
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;brohuset.milos.dk.		IN	DS

;; Query time: 3296 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Jul 07 22:10:42 BST 2016
;; MSG SIZE  rcvd: 46


I'm not sure that the NSEC record is faulty, the extra NULL byte is in
the "next existing name" field, and sure enough, that name does exist,
though it only seems to contain a NSEC record!


srk at holly:~$ dig @8.8.8.8 +dnssec A brohuset/000.milos.dk

; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> @8.8.8.8 +dnssec A
brohuset/000.milos.dk
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16789
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;brohuset/000.milos.dk.		IN	A

;; AUTHORITY SECTION:
milos.dk.		1799	IN	SOA	buck.ns.cloudflare.com. dns.cloudflare.com.
2021877006 10000 2400 604800 3600
brohuset/000.milos.dk.	3599	IN	NSEC	\000.brohuset/000.milos.dk. RRSIG NSEC
brohuset/000.milos.dk.	3599	IN	RRSIG	NSEC 13 3 3600 20160708221452
20160706201452 35273 milos.dk.
RuVEwfQttCXJmREcXmPp1AG21eudJNw35wuPmngG//Yf9Gkyycojhsmh
5/Gl6nrw+hKCH9cSyRT04s+MPyGNtg==
milos.dk.		1799	IN	RRSIG	SOA 13 2 3600 20160708221452 20160706201452
35273 milos.dk. CnujTN78WC7cTmVqkavyLDVpUIt2eUoMxRdoK3R3rOSGPfg15A5Zhigt
zpMzixRc9WtzbXNa+/qT8d9dolmk8Q==

I suspect that this is cloudflare being very clever again, and I can
guess how it might be confusing dnsmasq, but it's going to be difficult
to test when it confuses google too.

Cheers,

Simon.

> 
> This is with dnsmasq 2.76.
> 
> -Toke
> 
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> 




More information about the Dnsmasq-discuss mailing list