[Dnsmasq-discuss] BOGUS DNSSEC responses
László Károlyi
laszlo at karolyi.hu
Sun Jul 5 23:41:16 BST 2020
Hey Simon,
thanks for your response.
Yes, my bad, I should have said at the outset that I use the latest
dsmasq in FreeBSD with the latest official (12.1-RELEASE-p6) release on
the latest patch level. So, dnsmasq is "2.81_2,1" , as defined here:
https://www.freshports.org/dns/dnsmasq/
I use NTP to keep the time in sync on my box, the output of ntpq -n -p is:
remote refid st t when poll reach delay offset
jitter
==============================================================================
0.freebsd.pool. .POOL. 16 p - 64 0 0.000 +0.000
0.000
-162.159.200.1 10.71.10.44 3 u 49 1024 377 5.077 -2.686
0.288
*193.158.22.13 .MBGh. 1 u 217 1024 377 11.921 -1.232
0.298
+85.209.49.104 35.73.197.144 2 u 81 1024 377 2.780 -0.842
0.242
+185.120.22.12 130.149.17.21 2 u 384 1024 377 5.404 -0.482
0.384
-212.18.3.19 212.18.1.106 2 u 122 1024 377 6.106 -1.292
0.260
Basically as you can see, no egregious time differences (delay is in
milliseconds). As for the domains, my domain is kept in cloudflare, they
provide the DNSSEC records as well. I don't know if that's the case for
github and/or updates.spamassassin.org, which I also see failing.
I'll set the flags and logfile you provided, and will wait until the
error occurs again, and then I'll touch base again with you. It should
take a day or two at most, the sometimes failing cronjob runs hourly.
Best Regards,
--
László Károlyi
https://linkedin/com/in/karolyi
On 05.07.20 23:17, Simon Kelley wrote:
> Just a stab in the dark: are you sure that the clocks on these machines
> are accurate? DNSSEC signatures have validity periods and when I checked
> obsswitcher.com its start-of-validity time was only an hour or so before
> the time when I checked, so a bad clock would explain what you're seeing.
>
> Failing that, you don't say what version of dnsmasq you're running.
> PLease make sure you upgrade to 2.81 if you're running older code. That
> fixes lots of DNSSEC bugs.
>
> If 2.81 still shows the problem, set the following dnsmasq configuration
>
> dumpfile=<path/to/file>
> dumpmask=0x00C0
>
> run the test again and send me the resulting dumps.
>
>
> Cheers,
>
> Simon.
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20200706/606f9f12/attachment.sig>
More information about the Dnsmasq-discuss
mailing list