[Dnsmasq-discuss] BOGUS DNSSEC responses

László Károlyi laszlo at karolyi.hu
Sun Jul 5 23:41:16 BST 2020


Hey Simon,

thanks for your response.

Yes, my bad, I should have said at the outset that I use the latest
dsmasq in FreeBSD with the latest official (12.1-RELEASE-p6) release on
the latest patch level. So, dnsmasq is "2.81_2,1" , as defined here:

https://www.freshports.org/dns/dnsmasq/

I use NTP to keep the time in sync on my box, the output of ntpq -n -p is:

     remote           refid      st t when poll reach   delay   offset 
jitter
==============================================================================
 0.freebsd.pool. .POOL.          16 p    -   64    0    0.000   +0.000  
0.000
-162.159.200.1   10.71.10.44      3 u   49 1024  377    5.077   -2.686  
0.288
*193.158.22.13   .MBGh.           1 u  217 1024  377   11.921   -1.232  
0.298
+85.209.49.104   35.73.197.144    2 u   81 1024  377    2.780   -0.842  
0.242
+185.120.22.12   130.149.17.21    2 u  384 1024  377    5.404   -0.482  
0.384
-212.18.3.19     212.18.1.106     2 u  122 1024  377    6.106   -1.292  
0.260

Basically as you can see, no egregious time differences (delay is in
milliseconds). As for the domains, my domain is kept in cloudflare, they
provide the DNSSEC records as well. I don't know if that's the case for
github and/or updates.spamassassin.org, which I also see failing.

I'll set the flags and logfile you provided, and will wait until the
error occurs again, and then I'll touch base again with you. It should
take a day or two at most, the sometimes failing cronjob runs hourly.

Best Regards,
--
László Károlyi
https://linkedin/com/in/karolyi

On 05.07.20 23:17, Simon Kelley wrote:
> Just a stab in the dark: are you sure that the clocks on these machines
> are accurate? DNSSEC signatures have validity periods and when I checked
> obsswitcher.com its start-of-validity time was only an hour or so before
> the time when I checked, so a bad clock would explain what you're seeing.
>
> Failing that, you don't say what version of dnsmasq you're running.
> PLease make sure you upgrade to 2.81 if you're running older code. That
> fixes lots of DNSSEC bugs.
>
> If 2.81 still shows the problem, set the following dnsmasq configuration
>
> dumpfile=<path/to/file>
> dumpmask=0x00C0
>
> run the test again and send me the resulting dumps.
>
>
> Cheers,
>
> Simon.
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20200706/606f9f12/attachment.sig>


More information about the Dnsmasq-discuss mailing list