[Dnsmasq-discuss] issues resolving a DNSSEC domain with dnsmasq 2.76
Petr Menšík
pemensik at redhat.com
Fri Mar 19 16:08:28 UTC 2021
Okay, interesting bug. I were able to reproduce it also on RHEL8 version
of 2.79, which is not that old. So I guess I have to find a fix for that.
It worked on 2.85rc1, so fix must be something in between those. Or it
depends on nettle version used. RHEL8 uses nettle 3.4.1, my Fedora 32
has nettle 3.5.1.
It seems I have to find the fix for that as well. Thanks for reporting it!
The problem is goededoelennederland.nl DNSKEY reply validation by
dnssec_validate_by_ds returns STAT_NEED_KEY. Which in turn generates the
same query again, failing again.
Cheers,
Petr
On 3/19/21 1:50 PM, Jelle de Jong via Dnsmasq-discuss wrote:
> Hello everybody,
>
> I am having an issue resolving the MX record of a domain using DNSSEC,
> however I can not find anything wrong with this domain on a dnssec test
> sites, but dnsmasq goes into a loop until the dig tool times out.
>
> The dnssec test on the goededoelennederland.nl domain:
> https://dnsviz.net/d/goededoelennederland.nl/dnssec/
>
> The dnsmasq loop logs (a few pages full)
> Mar 19 13:37:18 firewall01 dnsmasq[26888]: reply goededoelennederland.nl
> is DNSKEY keytag 44143, algo 13
> Mar 19 13:37:18 firewall01 dnsmasq[26888]: dnssec-query[DNSKEY]
> goededoelennederland.nl to 208.67.220.220
> Mar 19 13:37:18 firewall01 dnsmasq[26888]: reply goededoelennederland.nl
> is DNSKEY keytag 44143, algo 13
> Mar 19 13:37:18 firewall01 dnsmasq[26888]: dnssec-query[DNSKEY]
> goededoelennederland.nl to 208.67.220.220
>
> The dnsmasq config:
> dnssec
> conf-file=/usr/share/dnsmasq-base/trust-anchors.conf
>
> If I disable dnsmasq option it all works:
>
> # dnsmasq --version
> Dnsmasq version 2.76 Copyright (c) 2000-2016 Simon Kelley
> Compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua
> TFTP conntrack ipset auth DNSSEC loop-detect inotify
>
> # dig MX goededoelennederland.nl @localhost
> ; <<>> DiG 9.10.3-P4-Debian <<>> MX goededoelennederland.nl @localhost
> ;; global options: +cmd
> ;; connection timed out; no servers could be reached
>
> # dig MX goededoelennederland.nl @208.67.222.222 | grep -v ";"
> goededoelennederland.nl. 0 IN MX 0
> goededoelennederland-nl.mail.protection.outlook.com.
>
> I could reproduce this isuses on multipe dnsmasq servers.
>
> Could someone knowledgeable do a a quick dig MX goededoelennederland.nl
> and see what goes wrong?
>
> Kind regards,
>
> Jelle de Jong
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
>
--
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemensik at redhat.com
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 495 bytes
Desc: OpenPGP digital signature
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20210319/9dc6276c/attachment.sig>
More information about the Dnsmasq-discuss
mailing list