[Dnsmasq-discuss] Strange replies for DNSSEC domains

Simon Kelley simon at thekelleys.org.uk
Thu Jul 14 22:26:45 BST 2016 

On 13/07/16 20:15, mmmfotografie wrote:
> Hi, I just had a problem when I wanted to visit a site and when I looked
> it up in the log-file I recognize a strange behavior, that I had before
> when I had wen I had the "DNSSEC/TLSA Validator" as plug-in of Firefox.
> It stopped completely browsing for a minute by becoming unresponsive.
> This was only when I used DNSmasq and direct upstream replies went
> without a hitch.
> 
> The bit of log underneath was without any plug-in so a plain request.
> You see that the domain name is split up in parts and it first returns
> the dot and then the org part.
> 
>>   forwarded www.raspberrypi.org to 194.109.9.99
>>   dnssec-query[DS] org to 194.109.9.99
>>   dnssec-query[DNSKEY] . to 194.109.9.99
>>   reply . is DNSKEY keytag 46551, algo 8
>>   reply . is DNSKEY keytag 19036, algo 8
>>   reply org is DS keytag 9795, algo 7, digest 1
>>   reply org is DS keytag 9795, algo 7, digest 2
>>   dnssec-query[DS] raspberrypi.org to 194.109.9.99
>>   dnssec-query[DNSKEY] org to 194.109.9.99
>>   reply org is DNSKEY keytag 3177, algo 7
>>   reply org is DNSKEY keytag 2097, algo 7
>>   reply org is DNSKEY keytag 17883, algo 7
>>   reply org is DNSKEY keytag 9795, algo 7
> This bit is directly underneath and to me this looks correct:
>>   reply raspberrypi.org is DS keytag 21912, algo 10, digest 2
>>   dnssec-query[DNSKEY] raspberrypi.org to 194.109.9.99
>>   reply raspberrypi.org is DNSKEY keytag 23657, algo 10
>>   reply raspberrypi.org is DNSKEY keytag 21912, algo 10
>>   reply raspberrypi.org is DNSKEY keytag 12500, algo 10
>>   validation result is SECURE
> Going to try the 8.8.8.8 with the plug-in and see if it can be
> replicated on a other nameserver.
> 

That's quite normal. Dnsmasq knows the public key for the root zone, and
it has to make queries for DS and DNSKEY records that extend the
chain-of-trust from the root to the domain that you asked for. Those
queries are generated by dnsmasq and logged as "dnssec-query".

Cheers,

Simon.

> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>

More information about the Dnsmasq-discuss mailing list