[Dnsmasq-discuss] BOGUS DNSSEC responses

Simon Kelley simon at thekelleys.org.uk
Mon Jul 6 22:05:16 BST 2020


OK, I can see the proximate cause of the problem, but I'm not sure
what's causing it and I'm not sure how behaviour needs to change.

The proximate cause is that the upstream server (unbound, I think.) is
returning answers to queries for DNSKEY records with time-to-live as
zero. Time-to-live zero means "use this once, but don't cache it" so
dnsmasq doesn't cache it. But the DNSSEC validation process in dnsmasq
depends on data like DNSKEYs being cached: that's the path by which it
gets to the correct place for doing the validation. Hence the validation
failures.

Two questions arise.

1) Is dnsmasq wrong to fail validation with DNSKEYS with TTL zero. I
think that answer to that is probably "yes", if only on grounds of "be
forgiving in what you accept". The fix is fairly simple.

2) Why is Unbound returning DNSKEY records with TTL zero, over and over
again? Is there something in your unbound config that causes that?


Cheers,

Simon.






On 06/07/2020 09:50, László Károlyi wrote:
> So, this was done faster as I thought.
> 
> I've uploaded the file to wetransfer since it's 3MB and I don't want an
> outcry from people on here about me sending huge emails:
> https://we.tl/t-mlLySN7n0f
> 
> In that dump, you will probably see obsswitcher.com,
> updates.spamassassin.org and api.foursquare.com failed requests. I
> didn't look into it in detail, but the sheer size should indicate a lot
> of failed requests.
> 
> Cheers,
> --
> László Károlyi
> http://linkedin.com/in/karolyi
> 
> On 2020-07-06 00:41, László Károlyi wrote:
>> Hey Simon,
>>
>> thanks for your response.
>>
>> Yes, my bad, I should have said at the outset that I use the latest
>> dsmasq in FreeBSD with the latest official (12.1-RELEASE-p6) release on
>> the latest patch level. So, dnsmasq is "2.81_2,1" , as defined here:
>>
>> https://www.freshports.org/dns/dnsmasq/
>>
>> I use NTP to keep the time in sync on my box, the output of ntpq -n -p is:
>>
>>      remote           refid      st t when poll reach   delay   offset 
>> jitter
>> ==============================================================================
>>  0.freebsd.pool. .POOL.          16 p    -   64    0    0.000   +0.000  
>> 0.000
>> -162.159.200.1   10.71.10.44      3 u   49 1024  377    5.077   -2.686  
>> 0.288
>> *193.158.22.13   .MBGh.           1 u  217 1024  377   11.921   -1.232  
>> 0.298
>> +85.209.49.104   35.73.197.144    2 u   81 1024  377    2.780   -0.842  
>> 0.242
>> +185.120.22.12   130.149.17.21    2 u  384 1024  377    5.404   -0.482  
>> 0.384
>> -212.18.3.19     212.18.1.106     2 u  122 1024  377    6.106   -1.292  
>> 0.260
>>
>> Basically as you can see, no egregious time differences (delay is in
>> milliseconds). As for the domains, my domain is kept in cloudflare, they
>> provide the DNSSEC records as well. I don't know if that's the case for
>> github and/or updates.spamassassin.org, which I also see failing.
>>
>> I'll set the flags and logfile you provided, and will wait until the
>> error occurs again, and then I'll touch base again with you. It should
>> take a day or two at most, the sometimes failing cronjob runs hourly.
>>
>> Best Regards,
>> --
>> László Károlyi
>> https://linkedin/com/in/karolyi
>>
>> On 05.07.20 23:17, Simon Kelley wrote:
>>> Just a stab in the dark: are you sure that the clocks on these machines
>>> are accurate? DNSSEC signatures have validity periods and when I checked
>>> obsswitcher.com its start-of-validity time was only an hour or so before
>>> the time when I checked, so a bad clock would explain what you're seeing.
>>>
>>> Failing that, you don't say what version of dnsmasq you're running.
>>> PLease make sure you upgrade to 2.81 if you're running older code. That
>>> fixes lots of DNSSEC bugs.
>>>
>>> If 2.81 still shows the problem, set the following dnsmasq configuration
>>>
>>> dumpfile=<path/to/file>
>>> dumpmask=0x00C0
>>>
>>> run the test again and send me the resulting dumps.
>>>
>>>
>>> Cheers,
>>>
>>> Simon.
>>>
>>>
>>> _______________________________________________
>>> Dnsmasq-discuss mailing list
>>> Dnsmasq-discuss at lists.thekelleys.org.uk
>>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> 
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> 




More information about the Dnsmasq-discuss mailing list