[Dnsmasq-discuss] issues resolving a DNSSEC domain with dnsmasq 2.76

Matthias Andree matthias.andree at gmx.de
Fri Mar 19 14:46:41 UTC 2021


Am 19.03.21 um 13:50 schrieb Jelle de Jong via Dnsmasq-discuss:
> Hello everybody,
>
> I am having an issue resolving the MX record of a domain using DNSSEC,
> however I can not find anything wrong with this domain on a dnssec
> test sites, but dnsmasq goes into a loop until the dig tool times out.
>
> The dnssec test on the goededoelennederland.nl domain:
> https://dnsviz.net/d/goededoelennederland.nl/dnssec/
>
> The dnsmasq loop logs (a few pages full)
> Mar 19 13:37:18 firewall01 dnsmasq[26888]: reply
> goededoelennederland.nl is DNSKEY keytag 44143, algo 13
> Mar 19 13:37:18 firewall01 dnsmasq[26888]: dnssec-query[DNSKEY]
> goededoelennederland.nl to 208.67.220.220
> Mar 19 13:37:18 firewall01 dnsmasq[26888]: reply
> goededoelennederland.nl is DNSKEY keytag 44143, algo 13
> Mar 19 13:37:18 firewall01 dnsmasq[26888]: dnssec-query[DNSKEY]
> goededoelennederland.nl to 208.67.220.220
>
> The dnsmasq config:
> dnssec
> conf-file=/usr/share/dnsmasq-base/trust-anchors.conf
>
> If I disable dnsmasq option it all works:
>
> # dnsmasq --version
> Dnsmasq version 2.76  Copyright (c) 2000-2016 Simon Kelley
> Compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua
> TFTP conntrack ipset auth DNSSEC loop-detect inotify
>
> # dig MX goededoelennederland.nl @localhost
> ; <<>> DiG 9.10.3-P4-Debian <<>> MX goededoelennederland.nl @localhost
> ;; global options: +cmd
> ;; connection timed out; no servers could be reached
>
> # dig MX goededoelennederland.nl @208.67.222.222 | grep -v ";"
> goededoelennederland.nl. 0    IN    MX    0
> goededoelennederland-nl.mail.protection.outlook.com.
>
> I could reproduce this isuses on multipe dnsmasq servers.
>
> Could someone knowledgeable do a a quick dig MX
> goededoelennederland.nl and see what goes wrong?

No real need to try and see because your dnsmasq version 2.76 is a bit,
decrepit. Retry with 2.84 or 2.85rc1.

> tag v2.76
> Tagger: Simon Kelley <simon at thekelleys.org.uk>
> Date:   Wed May 18 15:52:12 2016 +0100

2.84 works for me, with dnsmasq forwarding to unbound, both DNSSEC
enabled, I get:

> ; <<>> DiG 9.11.28-RedHat-9.11.28-1.fc33 <<>> @192.168.0.1
> goededoelennederland.nl. mx
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57860
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 1232
> ;; QUESTION SECTION:
> ;goededoelennederland.nl.    IN    MX
>
> ;; ANSWER SECTION:
> goededoelennederland.nl. 3380    IN    MX    0
> goededoelennederland-nl.mail.protection.outlook.com.

> $ delv @192.168.0.1 goededoelennederland.nl. mx
> ; fully validated
> goededoelennederland.nl. 3176    IN    MX    0
> goededoelennederland-nl.mail.protection.outlook.com.
> goededoelennederland.nl. 3176    IN    RRSIG    MX 13 2 3600
> 20210401000000 20210311000000 44143 goededoelennederland.nl.
> UFt2p0dHRSsWZuHaafFYhjod4Ckmi07+rYniBLm69ugU1Brt+MemBunV
> 80zOscD6jC1qwywVsWiL3J6oThPirQ==





More information about the Dnsmasq-discuss mailing list