[Dnsmasq-discuss] Strange replies for DNSSEC domains
simon at thekelleys.org.uk
Thu Jul 14 22:26:45 BST 2016
On 13/07/16 20:15, mmmfotografie wrote:
> Hi, I just had a problem when I wanted to visit a site and when I looked
> it up in the log-file I recognize a strange behavior, that I had before
> when I had wen I had the "DNSSEC/TLSA Validator" as plug-in of Firefox.
> It stopped completely browsing for a minute by becoming unresponsive.
> This was only when I used DNSmasq and direct upstream replies went
> without a hitch.
> The bit of log underneath was without any plug-in so a plain request.
> You see that the domain name is split up in parts and it first returns
> the dot and then the org part.
>> forwarded www.raspberrypi.org to 126.96.36.199
>> dnssec-query[DS] org to 188.8.131.52
>> dnssec-query[DNSKEY] . to 184.108.40.206
>> reply . is DNSKEY keytag 46551, algo 8
>> reply . is DNSKEY keytag 19036, algo 8
>> reply org is DS keytag 9795, algo 7, digest 1
>> reply org is DS keytag 9795, algo 7, digest 2
>> dnssec-query[DS] raspberrypi.org to 220.127.116.11
>> dnssec-query[DNSKEY] org to 18.104.22.168
>> reply org is DNSKEY keytag 3177, algo 7
>> reply org is DNSKEY keytag 2097, algo 7
>> reply org is DNSKEY keytag 17883, algo 7
>> reply org is DNSKEY keytag 9795, algo 7
> This bit is directly underneath and to me this looks correct:
>> reply raspberrypi.org is DS keytag 21912, algo 10, digest 2
>> dnssec-query[DNSKEY] raspberrypi.org to 22.214.171.124
>> reply raspberrypi.org is DNSKEY keytag 23657, algo 10
>> reply raspberrypi.org is DNSKEY keytag 21912, algo 10
>> reply raspberrypi.org is DNSKEY keytag 12500, algo 10
>> validation result is SECURE
> Going to try the 126.96.36.199 with the plug-in and see if it can be
> replicated on a other nameserver.
That's quite normal. Dnsmasq knows the public key for the root zone, and
it has to make queries for DS and DNSKEY records that extend the
chain-of-trust from the root to the domain that you asked for. Those
queries are generated by dnsmasq and logged as "dnssec-query".
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
More information about the Dnsmasq-discuss