[Dnsmasq-discuss] issues resolving a DNSSEC domain with dnsmasq 2.76

Petr Menšík pemensik at redhat.com
Fri Mar 19 15:35:28 UTC 2021


We have version 2.76 built on RHEL7 without DNSSEC support
(intentionally). I think this is related to missing support for
algorithm 13, which might not have been supported back then by nettle or
the code.

Of course, correct behaviour would be to threat name signed by
unsupported algorithm as unsigned. This name validation works fine on
the latest version to me. But the code must handle unsupported algorithms.

The fix should be backported to old version if still supported. I think
it would make sense to raise a bug to the distribution. Simon happens to
be also Debian maintainer so he might be able to fix it eventually, but
bugs fixed on more recent versions should be reported to distributions.

Have you tried tcpdump/wireshark on port 53, how responses to dnsmasq
look like? May rrsig be missing from reply for instance?

Cheers,
Petr

On 3/19/21 1:50 PM, Jelle de Jong via Dnsmasq-discuss wrote:
> Hello everybody,
> 
> I am having an issue resolving the MX record of a domain using DNSSEC,
> however I can not find anything wrong with this domain on a dnssec test
> sites, but dnsmasq goes into a loop until the dig tool times out.
> 
> The dnssec test on the goededoelennederland.nl domain:
> https://dnsviz.net/d/goededoelennederland.nl/dnssec/
> 
> The dnsmasq loop logs (a few pages full)
> Mar 19 13:37:18 firewall01 dnsmasq[26888]: reply goededoelennederland.nl
> is DNSKEY keytag 44143, algo 13
> Mar 19 13:37:18 firewall01 dnsmasq[26888]: dnssec-query[DNSKEY]
> goededoelennederland.nl to 208.67.220.220
> Mar 19 13:37:18 firewall01 dnsmasq[26888]: reply goededoelennederland.nl
> is DNSKEY keytag 44143, algo 13
> Mar 19 13:37:18 firewall01 dnsmasq[26888]: dnssec-query[DNSKEY]
> goededoelennederland.nl to 208.67.220.220
> 
> The dnsmasq config:
> dnssec
> conf-file=/usr/share/dnsmasq-base/trust-anchors.conf
> 
> If I disable dnsmasq option it all works:
> 
> # dnsmasq --version
> Dnsmasq version 2.76  Copyright (c) 2000-2016 Simon Kelley
> Compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua
> TFTP conntrack ipset auth DNSSEC loop-detect inotify
> 
> # dig MX goededoelennederland.nl @localhost
> ; <<>> DiG 9.10.3-P4-Debian <<>> MX goededoelennederland.nl @localhost
> ;; global options: +cmd
> ;; connection timed out; no servers could be reached
> 
> # dig MX goededoelennederland.nl @208.67.222.222 | grep -v ";"
> goededoelennederland.nl. 0    IN    MX    0
> goededoelennederland-nl.mail.protection.outlook.com.
> 
> I could reproduce this isuses on multipe dnsmasq servers.
> 
> Could someone knowledgeable do a a quick dig MX goededoelennederland.nl
> and see what goes wrong?
> 
> Kind regards,
> 
> Jelle de Jong
> 
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
> 

-- 
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemensik at redhat.com
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 495 bytes
Desc: OpenPGP digital signature
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20210319/53619fe6/attachment.sig>


More information about the Dnsmasq-discuss mailing list