[Dnsmasq-discuss] Insecure CNAME pointing to Secure name incorrectly validates as Bogus

Tore Anderson tore at fud.no
Tue Sep 3 17:43:08 BST 2019

Hi again,

> OK. scratch that. Looks like we just captured an irrelevant key-rollover.
> The problem here is that the reply to the original query contains an
> unsigned RRset of NS records in the auth section. Said NS records are in
> a signed zone, which flags them as bogus. As far as I can see, that's
> correct for records in the answer section, but for records in the auth
> section, it merely renders the reply as insecure. That would seem to
> make the AD bit rather useless, but I guess it's useless anyway.....
> http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=69a0477b741c1f8195c64417fec4a92a50c9291a
> Attempts to fix this.
> Thanks again for your work testing and diagnosing this.

I can confirm that Dnsmasq 69a0477 resolves www.linuxquestions.org and www.ipv6.org.uk as expected (DNSSEC state insecure). Great work, thanks!


More information about the Dnsmasq-discuss mailing list