[Dnsmasq-discuss] Cannot look up disa.mil (dnssec related)
Craig Andrews
candrews at integralblue.com
Wed Oct 24 04:13:32 BST 2018
On 23.10.2018 17:57, Simon Kelley wrote:
> On 22/10/2018 17:56, Craig Andrews wrote:
>> I'm unable to look up *.disa.mil when using dnsmasq - I'm hoping that
>> we
>> can figure out why that is.
>>
>> I have dnsmasq configured to use Cloudflare's 1.1.1.1 as its upstream
>> DNS server; dnsmasq is running on 192.168.0.1.
>>
>> Here are some a couple tests demonstrating the problem:
>> ------
>> $ dig disa.mil @192.168.0.1 +dnssec +short
>> <no output>
>> $ dig disa.mil @8.8.8.8 +dnssec +short
>> 156.112.108.76
>> A 8 2 7200 20181117145327 20181018145327 52983 disa.mil.
>> dMS5WbQ5xJ0HuCBPZUkuoshf0A2n1tvxA75smhcFZNS5SHSOA0zsQaSc
>> YOzNdu5gH6qFXA7TbKhPYN0RcPD+vVcmtfbzv3eJZfh4343IXlBznG6w
>> aLaLt+kI6GGnPQ7skNWOcO4yLct+yaeNxTT95CZnHtwRUx3vzGHS3dJF GYc=
>> [candrews at craigatwork vars]$ dig disa.mil @1.1.1.1 +dnssec +short
>> 156.112.108.76
>> ------
>> So looking it up using Google's 8.8.8.8 or Cloudflare's 1.1.1.1 with
>> dnssec works, but not with dnsmasq.
>>
>
> As Matthias says elsewhere in the thread, the last sentence above
> appears not to be correct: it does work with 8.8.8.8, but not with
> 1.1.1.1
>
> srk at holly:~$ dig disa.mil @8.8.8.8 +dnssec +short
> 156.112.108.76
> A 8 2 7200 20181117145327 20181018145327 52983 disa.mil.
> dMS5WbQ5xJ0HuCBPZUkuoshf0A2n1tvxA75smhcFZNS5SHSOA0zsQaSc
> YOzNdu5gH6qFXA7TbKhPYN0RcPD+vVcmtfbzv3eJZfh4343IXlBznG6w
> aLaLt+kI6GGnPQ7skNWOcO4yLct+yaeNxTT95CZnHtwRUx3vzGHS3dJF GYc=
> srk at holly:~$ dig disa.mil @1.1.1.1 +dnssec +short
> 156.112.108.76
>
>
> The replies from 1.1.1.1 are missing the DNSSEC signatures, and this
> appears to be a problem at Cloudflare, rather than a problem with
> dnsmasq, or with the domain.
>
> If I use 8.8.8.8 as upstream, dnsmasq validates fine. If I use 1.1.1.1
> validation fails, because 1.1.1.1 is not returning the RRSIG RRs, even
> though it's been asked to. Without those RRSIGs the reply can't be
> validated.
>
> This problem with 1.1.1.1 seems to extend to many more .mil domains.
>
> TL;DR. Not a dnsmasq problem, not a domain problem, probably a
> Cloudflare problem.
>
> Craig, please could you report this to Cloudflare?
>
>
> Cheers,
>
> Simon.
Thanks for correcting my misunderstanding of this issue!
I've reported the issue to Cloudflare at
https://community.cloudflare.com/t/1-1-1-1-doesnt-return-dnssec-data-for-disa-mil-googles-8-8-8-8-does/40837
Thanks,
~Craig
More information about the Dnsmasq-discuss
mailing list