[Dnsmasq-discuss] BOGUS DNSSEC responses
László Károlyi
laszlo at karolyi.hu
Mon Jul 6 09:50:43 BST 2020
So, this was done faster as I thought.
I've uploaded the file to wetransfer since it's 3MB and I don't want an
outcry from people on here about me sending huge emails:
https://we.tl/t-mlLySN7n0f
In that dump, you will probably see obsswitcher.com,
updates.spamassassin.org and api.foursquare.com failed requests. I
didn't look into it in detail, but the sheer size should indicate a lot
of failed requests.
Cheers,
--
László Károlyi
http://linkedin.com/in/karolyi
On 2020-07-06 00:41, László Károlyi wrote:
> Hey Simon,
>
> thanks for your response.
>
> Yes, my bad, I should have said at the outset that I use the latest
> dsmasq in FreeBSD with the latest official (12.1-RELEASE-p6) release on
> the latest patch level. So, dnsmasq is "2.81_2,1" , as defined here:
>
> https://www.freshports.org/dns/dnsmasq/
>
> I use NTP to keep the time in sync on my box, the output of ntpq -n -p is:
>
> remote refid st t when poll reach delay offset
> jitter
> ==============================================================================
> 0.freebsd.pool. .POOL. 16 p - 64 0 0.000 +0.000
> 0.000
> -162.159.200.1 10.71.10.44 3 u 49 1024 377 5.077 -2.686
> 0.288
> *193.158.22.13 .MBGh. 1 u 217 1024 377 11.921 -1.232
> 0.298
> +85.209.49.104 35.73.197.144 2 u 81 1024 377 2.780 -0.842
> 0.242
> +185.120.22.12 130.149.17.21 2 u 384 1024 377 5.404 -0.482
> 0.384
> -212.18.3.19 212.18.1.106 2 u 122 1024 377 6.106 -1.292
> 0.260
>
> Basically as you can see, no egregious time differences (delay is in
> milliseconds). As for the domains, my domain is kept in cloudflare, they
> provide the DNSSEC records as well. I don't know if that's the case for
> github and/or updates.spamassassin.org, which I also see failing.
>
> I'll set the flags and logfile you provided, and will wait until the
> error occurs again, and then I'll touch base again with you. It should
> take a day or two at most, the sometimes failing cronjob runs hourly.
>
> Best Regards,
> --
> László Károlyi
> https://linkedin/com/in/karolyi
>
> On 05.07.20 23:17, Simon Kelley wrote:
>> Just a stab in the dark: are you sure that the clocks on these machines
>> are accurate? DNSSEC signatures have validity periods and when I checked
>> obsswitcher.com its start-of-validity time was only an hour or so before
>> the time when I checked, so a bad clock would explain what you're seeing.
>>
>> Failing that, you don't say what version of dnsmasq you're running.
>> PLease make sure you upgrade to 2.81 if you're running older code. That
>> fixes lots of DNSSEC bugs.
>>
>> If 2.81 still shows the problem, set the following dnsmasq configuration
>>
>> dumpfile=<path/to/file>
>> dumpmask=0x00C0
>>
>> run the test again and send me the resulting dumps.
>>
>>
>> Cheers,
>>
>> Simon.
>>
>>
>> _______________________________________________
>> Dnsmasq-discuss mailing list
>> Dnsmasq-discuss at lists.thekelleys.org.uk
>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20200706/7ac73255/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20200706/7ac73255/attachment-0001.sig>
More information about the Dnsmasq-discuss
mailing list