[Dnsmasq-discuss] dnsmasq v2.86?

Andre Heider a.heider at gmail.com
Thu Aug 12 11:57:40 UTC 2021


On 12/08/2021 13:34, Simon Kelley wrote:
> 
> 
> On 12/08/2021 12:23, Andre Heider wrote:
> 
>>> Hm, works if I disable dnssec on dnsmask:
>>>
>>> dig thekelleys.org.uk
>>>
>>> ; <<>> DiG 9.16.15-Debian <<>> thekelleys.org.uk
>>> ;; global options: +cmd
>>> ;; Got answer:
>>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7599
>>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>>>
>>> ;; OPT PSEUDOSECTION:
>>> ; EDNS: version: 0, flags:; udp: 1280
>>> ;; QUESTION SECTION:
>>> ;thekelleys.org.uk.        IN    A
>>>
>>> ;; ANSWER SECTION:
>>> thekelleys.org.uk.    36717    IN    A    85.119.82.65
>>>
>>> ;; Query time: 3 msec
>>> ;; SERVER: 192.168.0.1#53(192.168.0.1)
>>> ;; WHEN: Thu Aug 12 13:12:28 CEST 2021
>>> ;; MSG SIZE  rcvd: 62
>>>
>>>
>>> But with it enabled:
>>>
>>> dig thekelleys.org.uk
>>> ;; Truncated, retrying in TCP mode.
>>>
>>> ; <<>> DiG 9.16.15-Debian <<>> thekelleys.org.uk
>>> ;; global options: +cmd
>>> ;; Got answer:
>>> ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 34170
>>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>>>
>>> ;; OPT PSEUDOSECTION:
>>> ; EDNS: version: 0, flags:; udp: 4096
>>> ; EDE: 14 (Not Ready)
>>> ;; QUESTION SECTION:
>>> ;thekelleys.org.uk.        IN    A
>>>
>>> ;; Query time: 7 msec
>>> ;; SERVER: 192.168.0.1#53(192.168.0.1)
>>> ;; WHEN: Thu Aug 12 13:13:18 CEST 2021
>>> ;; MSG SIZE  rcvd: 52
>>
>> It works with dnssec enabled but 'ednspacket_max 1280' removed...
>>
> 
> 
> This may be getting closer to the original problem. What do the query
> logs look like when that fails? Also is stubby handling queries on TCP OK?

dnsmasq[20540]: query[A] thekelleys.org.uk from 192.168.0.40
dnsmasq[20540]: forwarded thekelleys.org.uk to 127.0.0.1
dnsmasq[20540]: dnssec-query[DS] uk to 127.0.0.1
dnsmasq[20540]: dnssec-query[DNSKEY] . to 127.0.0.1
dnsmasq[20540]: reply . is DNSKEY keytag 26838, algo 8
dnsmasq[20540]: reply . is DNSKEY keytag 20326, algo 8
dnsmasq[20540]: reply uk is DS keytag 43876, algo 8, digest 2
dnsmasq[20540]: dnssec-query[DS] org.uk to 127.0.0.1
dnsmasq[20540]: dnssec-query[DNSKEY] uk to 127.0.0.1
dnsmasq[20540]: reply uk is DNSKEY keytag 43056, algo 8
dnsmasq[20540]: reply uk is DNSKEY keytag 43876, algo 8
dnsmasq[20540]: reply org.uk is DS keytag 41523, algo 8, digest 2
dnsmasq[20540]: dnssec-query[DS] thekelleys.org.uk to 127.0.0.1
dnsmasq[20540]: dnssec-query[DNSKEY] org.uk to 127.0.0.1
dnsmasq[20540]: reply org.uk is DNSKEY keytag 41523, algo 8
dnsmasq[20540]: reply thekelleys.org.uk is DS keytag 60318, algo 10, 
digest 2
dnsmasq[20540]: reply thekelleys.org.uk is DS keytag 7713, algo 10, digest 2
dnsmasq[20540]: dnssec-query[DNSKEY] thekelleys.org.uk to 127.0.0.1
dnsmasq[20540]: reply thekelleys.org.uk is 85.119.82.65

> dig @127.0.0.1 -p 5453 +vc thekelleys.org.uk

; <<>> DiG 9.17.13 <<>> @127.0.0.1 -p 5453 +vc thekelleys.org.uk
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9671
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;thekelleys.org.uk.		IN	A

;; ANSWER SECTION:
thekelleys.org.uk.	34162	IN	A	85.119.82.65

;; Query time: 170 msec
;; SERVER: 127.0.0.1#5453(127.0.0.1) (TCP)
;; WHEN: Thu Aug 12 13:55:03 CEST 2021
;; MSG SIZE  rcvd: 62


To be honest I'm not sure why I added --edns-packet-max=1280. It may 
have been just because of dnsmasq logging about reducing packet sizes to 
syslog over and over again?



More information about the Dnsmasq-discuss mailing list