[Dnsmasq-discuss] Cannot look up disa.mil (dnssec related)

Neil Jerram neil at tigera.io
Mon Oct 22 23:28:16 BST 2018


Something to do with the recent change of the root DNSSEC key?

(dnsmasq has the new key in its codebase, but perhaps your config
isn't pulling it in correctly?)
On Mon, Oct 22, 2018 at 6:23 PM Craig Andrews <candrews at integralblue.com> wrote:
>
> I'm unable to look up *.disa.mil when using dnsmasq - I'm hoping that we
> can figure out why that is.
>
> I have dnsmasq configured to use Cloudflare's 1.1.1.1 as its upstream
> DNS server; dnsmasq is running on 192.168.0.1.
>
> Here are some a couple tests demonstrating the problem:
> ------
> $ dig disa.mil @192.168.0.1 +dnssec +short
> <no output>
> $ dig disa.mil @8.8.8.8 +dnssec +short
> 156.112.108.76
> A 8 2 7200 20181117145327 20181018145327 52983 disa.mil.
> dMS5WbQ5xJ0HuCBPZUkuoshf0A2n1tvxA75smhcFZNS5SHSOA0zsQaSc
> YOzNdu5gH6qFXA7TbKhPYN0RcPD+vVcmtfbzv3eJZfh4343IXlBznG6w
> aLaLt+kI6GGnPQ7skNWOcO4yLct+yaeNxTT95CZnHtwRUx3vzGHS3dJF GYc=
> [candrews at craigatwork vars]$ dig disa.mil @1.1.1.1 +dnssec +short
> 156.112.108.76
> ------
> So looking it up using Google's 8.8.8.8 or Cloudflare's 1.1.1.1 with
> dnssec works, but not with dnsmasq.
>
> ------
> # dnsmasq --version
> Dnsmasq version 2.80test3  Copyright (c) 2000-2018 Simon Kelley
> Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6
> no-Lua TFTP conntrack ipset auth DNSSEC no-ID loop-detect inotify
> dumpfile
>
> This software comes with ABSOLUTELY NO WARRANTY.
> Dnsmasq is free software, and you are welcome to redistribute it
> under the terms of the GNU General Public License, version 2 or 3.
> ------
>
> Thanks in advance for your help and for this great software,
> ~Craig
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss



More information about the Dnsmasq-discuss mailing list