[Dnsmasq-discuss] BOGUS DNSSEC responses

László Károlyi laszlo at karolyi.hu
Mon Jul 6 09:50:43 BST 2020


So, this was done faster as I thought.

I've uploaded the file to wetransfer since it's 3MB and I don't want an
outcry from people on here about me sending huge emails:
https://we.tl/t-mlLySN7n0f

In that dump, you will probably see obsswitcher.com,
updates.spamassassin.org and api.foursquare.com failed requests. I
didn't look into it in detail, but the sheer size should indicate a lot
of failed requests.

Cheers,
--
László Károlyi
http://linkedin.com/in/karolyi

On 2020-07-06 00:41, László Károlyi wrote:
> Hey Simon,
>
> thanks for your response.
>
> Yes, my bad, I should have said at the outset that I use the latest
> dsmasq in FreeBSD with the latest official (12.1-RELEASE-p6) release on
> the latest patch level. So, dnsmasq is "2.81_2,1" , as defined here:
>
> https://www.freshports.org/dns/dnsmasq/
>
> I use NTP to keep the time in sync on my box, the output of ntpq -n -p is:
>
>      remote           refid      st t when poll reach   delay   offset 
> jitter
> ==============================================================================
>  0.freebsd.pool. .POOL.          16 p    -   64    0    0.000   +0.000  
> 0.000
> -162.159.200.1   10.71.10.44      3 u   49 1024  377    5.077   -2.686  
> 0.288
> *193.158.22.13   .MBGh.           1 u  217 1024  377   11.921   -1.232  
> 0.298
> +85.209.49.104   35.73.197.144    2 u   81 1024  377    2.780   -0.842  
> 0.242
> +185.120.22.12   130.149.17.21    2 u  384 1024  377    5.404   -0.482  
> 0.384
> -212.18.3.19     212.18.1.106     2 u  122 1024  377    6.106   -1.292  
> 0.260
>
> Basically as you can see, no egregious time differences (delay is in
> milliseconds). As for the domains, my domain is kept in cloudflare, they
> provide the DNSSEC records as well. I don't know if that's the case for
> github and/or updates.spamassassin.org, which I also see failing.
>
> I'll set the flags and logfile you provided, and will wait until the
> error occurs again, and then I'll touch base again with you. It should
> take a day or two at most, the sometimes failing cronjob runs hourly.
>
> Best Regards,
> --
> László Károlyi
> https://linkedin/com/in/karolyi
>
> On 05.07.20 23:17, Simon Kelley wrote:
>> Just a stab in the dark: are you sure that the clocks on these machines
>> are accurate? DNSSEC signatures have validity periods and when I checked
>> obsswitcher.com its start-of-validity time was only an hour or so before
>> the time when I checked, so a bad clock would explain what you're seeing.
>>
>> Failing that, you don't say what version of dnsmasq you're running.
>> PLease make sure you upgrade to 2.81 if you're running older code. That
>> fixes lots of DNSSEC bugs.
>>
>> If 2.81 still shows the problem, set the following dnsmasq configuration
>>
>> dumpfile=<path/to/file>
>> dumpmask=0x00C0
>>
>> run the test again and send me the resulting dumps.
>>
>>
>> Cheers,
>>
>> Simon.
>>
>>
>> _______________________________________________
>> Dnsmasq-discuss mailing list
>> Dnsmasq-discuss at lists.thekelleys.org.uk
>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20200706/7ac73255/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20200706/7ac73255/attachment-0001.sig>


More information about the Dnsmasq-discuss mailing list