[Dnsmasq-discuss] DNSSEC BOGUS still replied to with IP
Dominik DL6ER
dl6er at dl6er.de
Fri Mar 1 18:56:19 GMT 2019
Dear list members,
to my understanding, dnsmasq should not return any valid records for BOGUS domains.
However, using Cloudflare (1.1.1.1 / 1.0.0.1) as upstream, I see a domains being
validated as BOGUS in the log, however, the A query still succeeds and the client
receives valid IP addresses. I'm using dnsmasq v2.80.
Corresponding log excerpt:
Mar 1 12:07:43 dnsmasq[28682]: query[A] www.vp4.navy.mil from 192.168.0.135
Mar 1 12:07:43 dnsmasq[28682]: forwarded www.vp4.navy.mil to 1.0.0.1
Mar 1 12:07:43 dnsmasq[28682]: dnssec-query[DS] mil to 1.0.0.1
Mar 1 12:07:43 dnsmasq[28682]: reply mil is DS keytag 59896, algo 8, digest 2
Mar 1 12:07:43 dnsmasq[28682]: reply mil is DS keytag 59896, algo 8, digest 1
Mar 1 12:07:43 dnsmasq[28682]: dnssec-query[DS] navy.mil to 1.0.0.1
Mar 1 12:07:43 dnsmasq[28682]: dnssec-query[DNSKEY] mil to 1.0.0.1
Mar 1 12:07:43 dnsmasq[28682]: reply mil is DNSKEY keytag 59896, algo 8
Mar 1 12:07:43 dnsmasq[28682]: reply mil is DNSKEY keytag 10428, algo 8
Mar 1 12:07:43 dnsmasq[28682]: reply mil is DNSKEY keytag 15450, algo 8
Mar 1 12:07:43 dnsmasq[28682]: reply navy.mil is DS keytag 33826, algo 8, digest 2
Mar 1 12:07:43 dnsmasq[28682]: reply navy.mil is DS keytag 33826, algo 8, digest 1
Mar 1 12:07:43 dnsmasq[28682]: dnssec-query[DS] vp4.navy.mil to 1.0.0.1
Mar 1 12:07:43 dnsmasq[28682]: Insecure DS reply received, do upstream DNS servers support DNSSEC?
Mar 1 12:07:43 dnsmasq[28682]: reply vp4.navy.mil is BOGUS DS
Mar 1 12:07:43 dnsmasq[28682]: validation www.vp4.navy.mil is BOGUS
Mar 1 12:07:43 dnsmasq[28682]: reply www.vp4.navy.mil is <CNAME>
Mar 1 12:07:43 dnsmasq[28682]: reply open-elb-prod-277276106.us-east-1.elb.amazonaws.com is 34.196.13.230
Mar 1 12:07:43 dnsmasq[28682]: reply open-elb-prod-277276106.us-east-1.elb.amazonaws.com is 52.0.22.76
Is this intended behavior?
Best regards,
Dominik
More information about the Dnsmasq-discuss
mailing list