[Dnsmasq-discuss] BOGUS DNSSEC responses

Simon Kelley simon at thekelleys.org.uk
Sun Jul 5 22:17:16 BST 2020


Just a stab in the dark: are you sure that the clocks on these machines
are accurate? DNSSEC signatures have validity periods and when I checked
obsswitcher.com its start-of-validity time was only an hour or so before
the time when I checked, so a bad clock would explain what you're seeing.

Failing that, you don't say what version of dnsmasq you're running.
PLease make sure you upgrade to 2.81 if you're running older code. That
fixes lots of DNSSEC bugs.

If 2.81 still shows the problem, set the following dnsmasq configuration

dumpfile=<path/to/file>
dumpmask=0x00C0

run the test again and send me the resulting dumps.


Cheers,

Simon.


On 04/07/2020 17:37, László Károlyi wrote:

> Hey,
> 
> I have a FreeBSD box where jails communicate with dnsmasq outside to
> resolve each other's addresses (they get different IPs on
> redeployments), and dnsmasq communicates with unbound where it needs to
> resolve outside domains.
> 
> When running stuff from cron within the jails, sometimes hostnames don't
> resolve and I started to investigate on the problem by turning debug log
> on with dnsmasq. As it turns out, it complains about domain DNSSEC
> errors, where they are properly configured. This happens with my domain
> (attached in the logs), and outher domains (github,
> updates.spamassassin.org) as well. I'm somewhat clueless as to why it
> happens, so please see the log attached, with my own domain,
> obsswitcher.com. What happens here is, I've set up a cronjob with curl
> to run until it succeeds, that is:
> 
> while true; do curl -s 'https://obsswitcher.com/' && break || date; done
> 
> Sometimes hostname resolution succeeds at first time, sometimes it takes
> 200+ tries until it succeeds once, and quits. The attached log is the
> one where it happened 200+ times before succeeding.
> 
> Any help is appreciated.
> 
> Cheers,
> --
> László Károlyi
> http://linkedin.com/in/karolyi
> 
> 
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20200705/0a4d5f0b/attachment.sig>


More information about the Dnsmasq-discuss mailing list