[Dnsmasq-discuss] DNSSEC failure after some time

Simon Kelley simon at thekelleys.org.uk
Wed Jun 28 22:05:51 BST 2017


On 28/06/17 02:25, Hamish Moffatt wrote:
> I've recently enabled DNSSEC on dnsmasq, and signed a zone that I work
> with a lot.
> 
> It works for a while (dig shows the AD (authentic data) flag on signed
> zones), but after about a week, I start getting lookup failures for that
> zone until I restart dnsmasq. Then it works for another week. The DNSSEC
> verifier at https://dnssec-debugger.verisignlabs.com/ says the domain is
> fine.
> 
> There's nothing in the log file, though I am not logging all queries.
> 
> 
> I have version 2.75. It's baked into my router firmware (Tomato Shibby)
> so I can't easily try the very latest. The DNSSEC-related part of my
> config is
> 
> dnssec
> 
> conf-file=/etc/trust-anchors.conf
> 
> 
> And the trust-anchors.conf says
> 
> trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
> 
> trust-anchor=.,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D
> 
> 
> 
> 
> Jun 28 10:11:54 router daemon.info dnsmasq[9632]: started, version 2.76
> cachesize 4096
> Jun 28 10:11:54 router daemon.info dnsmasq[9632]: compile time options:
> IPv6 GNU-getopt no-RTC no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP
> no-conntrack ipset Tomato-helper a
> uth DNSSEC loop-detect no-inotify
> Jun 28 10:11:54 router daemon.info dnsmasq[9632]: DNSSEC validation enabled
> Jun 28 10:11:54 router daemon.info dnsmasq[9632]: asynchronous logging
> enabled, queue limit is 5 messages
> Jun 28 10:11:54 router daemon.info dnsmasq-dhcp[9632]: DHCP, IP range
> 192.168.42.20 -- 192.168.42.254, lease time 1d
> Jun 28 10:11:54 router daemon.info dnsmasq[9632]: reading
> /etc/resolv.dnsmasq
> Jun 28 10:11:54 router daemon.info dnsmasq[9632]: using nameserver
> 8.8.8.8#53
> Jun 28 10:11:54 router daemon.info dnsmasq[9632]: using nameserver
> 8.8.4.4#53
> Jun 28 10:11:54 router daemon.info dnsmasq[9632]: read /etc/hosts - 2
> addresses
> Jun 28 10:11:54 router daemon.info dnsmasq[9632]: read
> /etc/dnsmasq/hosts/hosts - 12 addresses
> Jun 28 10:11:54 router daemon.info dnsmasq-dhcp[9632]: read
> /etc/dnsmasq/dhcp/dhcp-hosts
> 
> 

Your text says 2.75, but the log says 2.76. There's a significant
difference between the two in DNSSEC code.

First thing to do is to turn on --log-queries and arrange for the (quite
large) logs to go somewhere safe, if the router has limited storage.
That should give you information about why the validation is failing.



Cheers,

Simon.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20170628/68102446/attachment.sig>


More information about the Dnsmasq-discuss mailing list