[Dnsmasq-discuss] Insecure CNAME pointing to Secure name incorrectly validates as Bogus
Simon Kelley
simon at thekelleys.org.uk
Tue Sep 3 22:37:57 BST 2019
On 03/09/2019 18:29, Tore Anderson wrote:
> * Tore Anderson
>
>> Apologies, I botched my test (using the wrong upstream server). It does *not* work, but the error is different:
>>
>> $ src/dnsmasq -d -p 5353
>> dnsmasq: started, version 2.80-71-g69a0477 cachesize 150
>> dnsmasq: compile time options: IPv6 GNU-getopt DBus no-UBus no-i18n IDN2 DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth DNSSEC loop-detect inotify dumpfile
>> dnsmasq: DNSSEC validation enabled
>> dnsmasq: configured with trust anchor for <root> keytag 20326
>> dnsmasq: configured with trust anchor for <root> keytag 19036
>> dnsmasq: using nameserver 87.238.33.1#53
>> dnsmasq: cleared cache
>> dnsmasq: query[A] www.ipv6.org.uk from 127.0.0.1
>> dnsmasq: forwarded www.ipv6.org.uk to 87.238.33.1
>> dnsmasq: dnssec-query[DS] uk to 87.238.33.1
>> dnsmasq: dnssec-query[DNSKEY] . to 87.238.33.1
>> dnsmasq: reply . is DNSKEY keytag 59944, algo 8
>> dnsmasq: reply . is DNSKEY keytag 20326, algo 8
>> dnsmasq: reply uk is DS keytag 43876, algo 8, digest 2
>> dnsmasq: dnssec-query[DS] org.uk to 87.238.33.1
>> dnsmasq: dnssec-query[DNSKEY] uk to 87.238.33.1
>> dnsmasq: reply uk is DNSKEY keytag 43876, algo 8
>> dnsmasq: reply uk is DNSKEY keytag 43056, algo 8
>> dnsmasq: reply org.uk is DS keytag 41523, algo 8, digest 2
>> dnsmasq: dnssec-query[DS] ipv6.org.uk to 87.238.33.1
>> dnsmasq: dnssec-query[DNSKEY] org.uk to 87.238.33.1
>> dnsmasq: reply org.uk is DNSKEY keytag 41523, algo 8
>> dnsmasq: reply ipv6.org.uk is no DS
>> dnsmasq: dnssec-query[DS] ipv6.org.uk to 87.238.33.1
>> dnsmasq: reply ipv6.org.uk is no DS
>> dnsmasq: dnssec-query[DS] ipv6.org.uk to 87.238.33.1
>> dnsmasq: reply ipv6.org.uk is no DS
>> dnsmasq: dnssec-query[DS] ipv6.org.uk to 87.238.33.1
>> dnsmasq: reply ipv6.org.uk is no DS
>> dnsmasq: dnssec-query[DS] ipv6.org.uk to 87.238.33.1
>> dnsmasq: reply ipv6.org.uk is no DS
>> [...]
>>
>> This query is repeated ~44 times in a tight loop. It makes a total of 50 queries before giving up, I guess it hits a built-in limit.
>>
>> PCAP attached.
>>
>> It seems to happen with *all* Insecure domain names (not only those that have CNAMES pointing to other Secure domain names).
>
> Bisected:
>
> ae7a3b9d2e8705af203a1347c397718a24331747 is the first bad commit
> commit ae7a3b9d2e8705af203a1347c397718a24331747
> Author: Simon Kelley <simon at thekelleys.org.uk>
> Date: Tue Sep 3 14:40:47 2019 +0100
>
> DNSSEC: implement RFC-4036 para 5.3.3. rules on TTL values.
>
> :040000 040000 52d7ead3d28019308dff0cb0dfcd80e4ef0341de 60ff380eb9c6b813d5081dee470d276be2109480 M src
>
> If I revert this one, www.ipv6.org.uk and www.linuxquestions.org both resolve fine (as Insecure). So the fix in 69a0477 seems good.
>
>
Ah well, one step forward, one step back. Needless to say, this doesn't
occur with 8.8.8.8 as upstream server, so the promised, but missing,
pcap would be useful to track it down.
Cheers,
Simon.
More information about the Dnsmasq-discuss
mailing list