[Dnsmasq-discuss] BOGUS DNSSEC responses

Simon Kelley simon at thekelleys.org.uk
Sun Jul 12 23:34:55 BST 2020


On 09/07/2020 09:07, László Károlyi wrote:
> Thanks for your response again.
> 
> I'm not an expert in DNSSEC, so I can't answer you the first point. As
> for the second point, I attached my (pretty milktoast) unbound.conf, not
> much changes in there; hoping it could give a clue.

It's not giving me a clue, I'm afraid. In any case, I've fixed dnsmasq
to handle zero-TTL DNSKEY and DS records,

http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=7e194a0a7d483932eb3f416b8f26131ade588acc

and made an 2.82 release-candidate at

http://www.thekelleys.org.uk/dnsmasq/release-candidates/dnsmasq-2.82rc1.tar.gz

Please could you check if that fixes things?



cheers,

Simon.

> 
> Edit: Resending the unbound.conf zipped since the unzipped version it
> got held up by mailman.
> 
> Cheers,
> --
> László Károlyi
> https://linkedin/com/in/karolyi
> 
> On 06.07.20 23:05, Simon Kelley wrote:
>> OK, I can see the proximate cause of the problem, but I'm not sure
>> what's causing it and I'm not sure how behaviour needs to change.
>>
>> The proximate cause is that the upstream server (unbound, I think.) is
>> returning answers to queries for DNSKEY records with time-to-live as
>> zero. Time-to-live zero means "use this once, but don't cache it" so
>> dnsmasq doesn't cache it. But the DNSSEC validation process in dnsmasq
>> depends on data like DNSKEYs being cached: that's the path by which it
>> gets to the correct place for doing the validation. Hence the validation
>> failures.
>>
>> Two questions arise.
>>
>> 1) Is dnsmasq wrong to fail validation with DNSKEYS with TTL zero. I
>> think that answer to that is probably "yes", if only on grounds of "be
>> forgiving in what you accept". The fix is fairly simple.
>>
>> 2) Why is Unbound returning DNSKEY records with TTL zero, over and over
>> again? Is there something in your unbound config that causes that?
>>
>>
>> Cheers,
>>
>> Simon.
> 
> 
> 
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> 




More information about the Dnsmasq-discuss mailing list