[Dnsmasq-discuss] DNSSEC in dnsmasq's parent zone

Uwe Kleine-König uwe+dnsmasq at kleine-koenig.org
Sun Jan 19 16:48:00 UTC 2025 

Hello Simon,

On Sun, Jan 19, 2025 at 12:07:25AM +0000, Simon Kelley wrote:
> On 1/18/25 21:56, Uwe Kleine-König wrote:
> > Anyhow, I'll investigate how to update dnsmasq on my OpenWrt machine
> > with your patch and report back.
> 
> Thanks. I did some more testing and found a couple more bugs. One is
> theoretical and one is real in the sense that I saw it happen, but it
> requires the forwarder part of dnsmasq to be configured with
> 
>  --cache-rr=ANY,
> 
> so you probably haven't hit it. Anyway, I tagged 2.91test8, so best to test
> that.

OK I did, and I see an improvement, namely:

	root at happy:~# dig +dnssec kk4.kleine-koenig.org DS

	; <<>> DiG 9.20.4 <<>> +dnssec kk4.kleine-koenig.org DS
	;; global options: +cmd
	;; Got answer:
	;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45505
	;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 1

	;; OPT PSEUDOSECTION:
	; EDNS: version: 0, flags: do; udp: 1232
	; EDE: 29: (Result from negative cache for entire name)
	;; QUESTION SECTION:
	;kk4.kleine-koenig.org.		IN	DS

	;; AUTHORITY SECTION:
	kleine-koenig.org.	2295	IN	SOA	ns2.kleine-koenig.org. hostmaster.kleine-koenig.org. 1736985600 86400 7200 3600000 3600
	2h1ek1sl5f0n5g07dos4u229nlrldiuh.kleine-koenig.org. 2295 IN NSEC3 1 0 0 - 2P9C6ENEEA87649H171LI9VRHSJHD415 A NS SOA MX TXT AAAA RRSIG DNSKEY NSEC3PARAM CDS CDNSKEY SPF CAA
	jsj8simjbajncnrcii8eq3474hg5f6pt.kleine-koenig.org. 2295 IN NSEC3 1 0 0 - KC9F61PEEQM0I99JMFUTDS2AG9ERP4JA CNAME RRSIG
	b862q755o9ujc0mu6llpi5hu4n0tm9em.kleine-koenig.org. 2295 IN NSEC3 1 0 0 - BI486GC6KIU7IU4NLOCN8SL91BHSKRV5 A AAAA RRSIG
	kleine-koenig.org.	2295	IN	RRSIG	SOA 13 2 86400 20250130000000 20250109000000 34607 kleine-koenig.org. o+4F0Nhr6KWw6dEVfgeGRv4B3n1yjdZKhTCPB03IIK9naZQGvdgUfLV2 PADPEFYtDKv9ePRzyJTxobF+pCa2rA==
	2h1ek1sl5f0n5g07dos4u229nlrldiuh.kleine-koenig.org. 2295 IN RRSIG NSEC3 13 3 3600 20250130000000 20250109000000 34607 kleine-koenig.org. 5d5BQRag1NrEKo22RhuvvqUBIq1NJykKUIwZGrzlvmRtvEUwl0VtciHf 6DnomyWFZqx5HIbuhTeOMu9CxdUjTg==
	jsj8simjbajncnrcii8eq3474hg5f6pt.kleine-koenig.org. 2295 IN RRSIG NSEC3 13 3 3600 20250130000000 20250109000000 34607 kleine-koenig.org. NzUYWmFm4OhGVMMU6DFFnB+xxzxA8ZOQZkSPXxT6yEaiXVvP4bXziolM 8o/2l0lcGO1j8ARAsVl4feDEfkY09A==
	b862q755o9ujc0mu6llpi5hu4n0tm9em.kleine-koenig.org. 2295 IN RRSIG NSEC3 13 3 3600 20250130000000 20250109000000 34607 kleine-koenig.org. Sx2J6xvVOFULEK6uKDMvP+E3gqJ251Dv2rAkLW+w/b/Fokp7Kg8t/oit ZtDSi8InKqXfdiSUzLqWft9sjv2sXA==

	;; Query time: 40 msec
	;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
	;; WHEN: Sun Jan 19 16:53:06 CET 2025
	;; MSG SIZE  rcvd: 848

(which lacked the DNSSEC stuff before).

*But* the SOA line mentioned there is the public one, which means that
that

	server=/kleine-koenig.org/192.168.128.3

was ignored here?! (It works when asking directly for the SOA:

	root at happy:~# dig kleine-koenig.org SOA

	; <<>> DiG 9.20.4 <<>> kleine-koenig.org SOA
	;; global options: +cmd
	;; Got answer:
	;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54931
	;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

	;; OPT PSEUDOSECTION:
	; EDNS: version: 0, flags:; udp: 1232
	;; QUESTION SECTION:
	;kleine-koenig.org.		IN	SOA

	;; ANSWER SECTION:
	kleine-koenig.org.	3496	IN	SOA	ns1.kleine-koenig.org. hostmaster.kleine-koenig.org. 1736985600 86400 7200 3600000 3600

	;; Query time: 30 msec
	;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
	;; WHEN: Sun Jan 19 17:27:26 CET 2025
	;; MSG SIZE  rcvd: 97

(note ns1.kleine-koenig.org for internal vs. ns2.kleine-koenig.org for
external).

> The NS record is fine. It does get answered from the --auth-server param and
> a client should get the same answer from either the parent zone's auth
> server or the child zone's as long as both have been configured the same.
> It's in the unsigned child zone, so DNSSEC RRs don't apply.

However I cannot confirm that: As in the first mail reported I don't get
any answer when asking for the NS record from the forwarder:

	root at happy:~# dig kk4.kleine-koenig.org NS

	; <<>> DiG 9.20.4 <<>> kk4.kleine-koenig.org NS
	;; global options: +cmd
	;; Got answer:
	;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19436
	;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

	;; OPT PSEUDOSECTION:
	; EDNS: version: 0, flags:; udp: 1232
	;; QUESTION SECTION:
	;kk4.kleine-koenig.org.		IN	NS

	;; Query time: 0 msec
	;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
	;; WHEN: Sun Jan 19 16:54:52 CET 2025
	;; MSG SIZE  rcvd: 50

dnsmasq logs the follwing for that query:

	Sun Jan 19 17:30:09 2025 daemon.info dnsmasq[1]: 99 127.0.0.1/57004 query[NS] kk4.kleine-koenig.org from 127.0.0.1
	Sun Jan 19 17:30:09 2025 daemon.info dnsmasq[1]: 99 127.0.0.1/57004 config kk4.kleine-koenig.org is NODATA

Not sure this is a problem for the DNSSEC verification though.

But there is an answer from the auth side:

	root at happy:~# dig @192.168.128.4 kk4.kleine-koenig.org NS

	; <<>> DiG 9.20.4 <<>> @192.168.128.4 kk4.kleine-koenig.org NS
	; (1 server found)
	;; global options: +cmd
	;; Got answer:
	;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19283
	;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
	;; WARNING: recursion requested but not available

	;; OPT PSEUDOSECTION:
	; EDNS: version: 0, flags:; udp: 1232
	;; QUESTION SECTION:
	;kk4.kleine-koenig.org.		IN	NS

	;; ANSWER SECTION:
	kk4.kleine-koenig.org.	600	IN	NS	happy.kleine-koenig.org.

	;; Query time: 0 msec
	;; SERVER: 192.168.128.4#53(192.168.128.4) (UDP)
	;; WHEN: Sun Jan 19 16:55:01 CET 2025
	;; MSG SIZE  rcvd: 108

> The DS record is the only thing that HAS to come from the parent, to prove
> that the child is not signed.

Ack.

Apart from the wrong server being asked I don't spot a relevant issue
when comparing the output of

	delv +rtrace +mtrace @192.168.128.3 happy.kk4.kleine-koenig.org
	delv +rtrace +mtrace @127.0.0.1 happy.kk4.kleine-koenig.org

I don't wanna spam the list with these outputs, but I can provide them
in private mail if you're interested. Having said that I think asking
the wrong server for some queries is a valid excuse for delv still
failing because the non-existance for kk4.kleine-koenig.org/DS isn't
properly signed then.

Best regards
Uwe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20250119/42c4c80d/attachment.sig>

More information about the Dnsmasq-discuss mailing list