[Dnsmasq-discuss] Fwd: SERVFAIL logging

Simon Kelley simon at thekelleys.org.uk
Fri May 4 21:54:35 BST 2018 

On 04/05/18 17:32, Dominik wrote:
> Dear Simon,
> 
> good to hear this!
> SERVFAIL logging will be useful for a few things (mostly troubleshooting).

I just pushed a patch into git to make this happen.
> 
> I attach the output of the two commands you asked me to run (port 5353
> is my local unbound, port 53 is dnsmasq).
> 

Thanks. It's not the smoking gun, but it is more data.


Cheers,

Simon.

> Best,
> Dominik
> 
> 
> On 04.05.2018 16:35, Simon Kelley wrote:
>> It could certainly be added, and would be useful thing to do.
>>
>> I'm actually more interested in the wrong/strange behaviour you mention,
>> since there's some evidence of this, and it seems to be problems with
>> the answers from upstream servers, but we can't identify which servers
>> are causing the problem.
>>
>> Please could you try the following two queries _to_your_unbound_server_
>> and report the results?
>>
>>
>> dig +dnssec ds archive.raspberrypi.org
>>
>>
>> dig +vc +dnssec ds archive.raspberrypi.org
>>
>>
>>
>> Cheers,
>>
>> Simon.
>>
>>
>> On 28/04/18 10:40, Dominik wrote:
>>> Dear dnsmasq list members,
>>>
>>> I'm running an unbound recursive DNS server. It is the only forwarding
>>> destination of my local dnsmasq instance. The unbound resolver is aware
>>> of DNSSEC and handles it well. I have NOT enabled DNSSEC support in
>>> dnsmasq itself, as it was sometimes giving wrong/strange behavior (the
>>> same domains were sometimes SECURE, sometimes BOGUS). I'm running
>>> dnsmasq 2.79.
>>>
>>> If I query a BOGUS domain directly from my unbound resolver (e.g., dig
>>> www.dnssec-failed.org), I'm getting a SERVFAIL response. dnsmasq simply
>>> forwards this SERVFAIL to the requesting client and hence they are
>>> protected against BOGUS domain records just as expected.
>>>
>>> However, looking into dnsmasq's log file, I only see
>>>
>>> Apr 28 11:36:13 dnsmasq[440]: 132 192.168.2.209/43506 query[A]
>>> www.dnssec-failed.org from 192.168.2.209
>>> Apr 28 11:36:13 dnsmasq[440]: 132 192.168.2.209/43506 forwarded
>>> www.dnssec-failed.org to 127.0.0.1
>>>
>>> The SERVFAIL event is never logged.
>>>
>>> Could this be added without too much effort?
>>>
>>> Best regards,
>>> Dominik
>>>
>>>
>>> _______________________________________________
>>> Dnsmasq-discuss mailing list
>>> Dnsmasq-discuss at lists.thekelleys.org.uk
>>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>>>
>>
>> _______________________________________________
>> Dnsmasq-discuss mailing list
>> Dnsmasq-discuss at lists.thekelleys.org.uk
>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> 
> 
> 
> 
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>

More information about the Dnsmasq-discuss mailing list