[Dnsmasq-discuss] SERVFAIL logging
Simon Kelley
simon at thekelleys.org.uk
Fri May 4 15:35:33 BST 2018
It could certainly be added, and would be useful thing to do.
I'm actually more interested in the wrong/strange behaviour you mention,
since there's some evidence of this, and it seems to be problems with
the answers from upstream servers, but we can't identify which servers
are causing the problem.
Please could you try the following two queries _to_your_unbound_server_
and report the results?
dig +dnssec ds archive.raspberrypi.org
dig +vc +dnssec ds archive.raspberrypi.org
Cheers,
Simon.
On 28/04/18 10:40, Dominik wrote:
> Dear dnsmasq list members,
>
> I'm running an unbound recursive DNS server. It is the only forwarding
> destination of my local dnsmasq instance. The unbound resolver is aware
> of DNSSEC and handles it well. I have NOT enabled DNSSEC support in
> dnsmasq itself, as it was sometimes giving wrong/strange behavior (the
> same domains were sometimes SECURE, sometimes BOGUS). I'm running
> dnsmasq 2.79.
>
> If I query a BOGUS domain directly from my unbound resolver (e.g., dig
> www.dnssec-failed.org), I'm getting a SERVFAIL response. dnsmasq simply
> forwards this SERVFAIL to the requesting client and hence they are
> protected against BOGUS domain records just as expected.
>
> However, looking into dnsmasq's log file, I only see
>
> Apr 28 11:36:13 dnsmasq[440]: 132 192.168.2.209/43506 query[A]
> www.dnssec-failed.org from 192.168.2.209
> Apr 28 11:36:13 dnsmasq[440]: 132 192.168.2.209/43506 forwarded
> www.dnssec-failed.org to 127.0.0.1
>
> The SERVFAIL event is never logged.
>
> Could this be added without too much effort?
>
> Best regards,
> Dominik
>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
More information about the Dnsmasq-discuss
mailing list