[Dnsmasq-discuss] DNSSEC BOGUS still replied to with IP

Dominik DL6ER dl6er at dl6er.de
Fri Mar 1 18:56:19 GMT 2019


Dear list members,

to my understanding, dnsmasq should not return any valid records for BOGUS domains.
However, using Cloudflare (1.1.1.1 / 1.0.0.1) as upstream, I see a domains being
validated as BOGUS in the log, however, the A query still succeeds and the client
receives valid IP addresses. I'm using dnsmasq v2.80.

Corresponding log excerpt:

Mar  1 12:07:43 dnsmasq[28682]: query[A] www.vp4.navy.mil from 192.168.0.135
Mar  1 12:07:43 dnsmasq[28682]: forwarded www.vp4.navy.mil to 1.0.0.1
Mar  1 12:07:43 dnsmasq[28682]: dnssec-query[DS] mil to 1.0.0.1
Mar  1 12:07:43 dnsmasq[28682]: reply mil is DS keytag 59896, algo 8, digest 2
Mar  1 12:07:43 dnsmasq[28682]: reply mil is DS keytag 59896, algo 8, digest 1
Mar  1 12:07:43 dnsmasq[28682]: dnssec-query[DS] navy.mil to 1.0.0.1
Mar  1 12:07:43 dnsmasq[28682]: dnssec-query[DNSKEY] mil to 1.0.0.1
Mar  1 12:07:43 dnsmasq[28682]: reply mil is DNSKEY keytag 59896, algo 8
Mar  1 12:07:43 dnsmasq[28682]: reply mil is DNSKEY keytag 10428, algo 8
Mar  1 12:07:43 dnsmasq[28682]: reply mil is DNSKEY keytag 15450, algo 8
Mar  1 12:07:43 dnsmasq[28682]: reply navy.mil is DS keytag 33826, algo 8, digest 2
Mar  1 12:07:43 dnsmasq[28682]: reply navy.mil is DS keytag 33826, algo 8, digest 1
Mar  1 12:07:43 dnsmasq[28682]: dnssec-query[DS] vp4.navy.mil to 1.0.0.1
Mar  1 12:07:43 dnsmasq[28682]: Insecure DS reply received, do upstream DNS servers support DNSSEC?
Mar  1 12:07:43 dnsmasq[28682]: reply vp4.navy.mil is BOGUS DS
Mar  1 12:07:43 dnsmasq[28682]: validation www.vp4.navy.mil is BOGUS
Mar  1 12:07:43 dnsmasq[28682]: reply www.vp4.navy.mil is <CNAME>
Mar  1 12:07:43 dnsmasq[28682]: reply open-elb-prod-277276106.us-east-1.elb.amazonaws.com is 34.196.13.230
Mar  1 12:07:43 dnsmasq[28682]: reply open-elb-prod-277276106.us-east-1.elb.amazonaws.com is 52.0.22.76

Is this intended behavior?

Best regards,
Dominik




More information about the Dnsmasq-discuss mailing list