[Dnsmasq-discuss] issues resolving a DNSSEC domain with dnsmasq 2.76

Fri Mar 19 17:08:05 UTC 2021

Hmm, I suspect the problem with this name lies in the server TTL setting
for the key. DNSKEY has 0, which might not be handled well by older
versions.

Update:
This was fixed by commit 7e194a0 [1] in version 2.82, where it modifies
ttl to stay at least 60 seconds in a cache. I guess all previous
versions need its backport, if they are validating.

1.
http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=7e194a0a7d483932eb3f416b8f26131ade588acc

Cheers,
Petr

On 3/19/21 5:08 PM, Petr Menšík wrote:
> Okay, interesting bug. I were able to reproduce it also on RHEL8 version
> of 2.79, which is not that old. So I guess I have to find a fix for that.
> 
> It worked on 2.85rc1, so fix must be something in between those. Or it
> depends on nettle version used. RHEL8 uses nettle 3.4.1, my Fedora 32
> has nettle 3.5.1.
> 
> It seems I have to find the fix for that as well. Thanks for reporting it!
> 
> The problem is goededoelennederland.nl DNSKEY reply validation by
> dnssec_validate_by_ds returns STAT_NEED_KEY. Which in turn generates the
> same query again, failing again.
> 
> Cheers,
> Petr
> 
> On 3/19/21 1:50 PM, Jelle de Jong via Dnsmasq-discuss wrote:
>> Hello everybody,
>>
>> I am having an issue resolving the MX record of a domain using DNSSEC,
>> however I can not find anything wrong with this domain on a dnssec test
>> sites, but dnsmasq goes into a loop until the dig tool times out.
>>
>> The dnssec test on the goededoelennederland.nl domain:
>> https://dnsviz.net/d/goededoelennederland.nl/dnssec/
>>
>> The dnsmasq loop logs (a few pages full)
>> Mar 19 13:37:18 firewall01 dnsmasq[26888]: reply goededoelennederland.nl
>> is DNSKEY keytag 44143, algo 13
>> Mar 19 13:37:18 firewall01 dnsmasq[26888]: dnssec-query[DNSKEY]
>> goededoelennederland.nl to 208.67.220.220
>> Mar 19 13:37:18 firewall01 dnsmasq[26888]: reply goededoelennederland.nl
>> is DNSKEY keytag 44143, algo 13
>> Mar 19 13:37:18 firewall01 dnsmasq[26888]: dnssec-query[DNSKEY]
>> goededoelennederland.nl to 208.67.220.220
>>
>> The dnsmasq config:
>> dnssec
>> conf-file=/usr/share/dnsmasq-base/trust-anchors.conf
>>
>> If I disable dnsmasq option it all works:
>>
>> # dnsmasq --version
>> Dnsmasq version 2.76  Copyright (c) 2000-2016 Simon Kelley
>> Compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua
>> TFTP conntrack ipset auth DNSSEC loop-detect inotify
>>
>> # dig MX goededoelennederland.nl @localhost
>> ; <<>> DiG 9.10.3-P4-Debian <<>> MX goededoelennederland.nl @localhost
>> ;; global options: +cmd
>> ;; connection timed out; no servers could be reached
>>
>> # dig MX goededoelennederland.nl @208.67.222.222 | grep -v ";"
>> goededoelennederland.nl. 0    IN    MX    0
>> goededoelennederland-nl.mail.protection.outlook.com.
>>
>> I could reproduce this isuses on multipe dnsmasq servers.
>>
>> Could someone knowledgeable do a a quick dig MX goededoelennederland.nl
>> and see what goes wrong?
>>
>> Kind regards,
>>
>> Jelle de Jong
>>
>> _______________________________________________
>> Dnsmasq-discuss mailing list
>> Dnsmasq-discuss at lists.thekelleys.org.uk
>> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
>>
> 
> 
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
> 

-- 
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemensik at redhat.com
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 495 bytes
Desc: OpenPGP digital signature
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20210319/91312d1a/attachment-0001.sig>