[Dnsmasq-discuss] DNSSEC in dnsmasq's parent zone

Simon Kelley simon at thekelleys.org.uk
Sun Jan 19 23:50:23 UTC 2025 


On 1/19/25 16:48, Uwe Kleine-König wrote:
> Hello Simon,
> 
> On Sun, Jan 19, 2025 at 12:07:25AM +0000, Simon Kelley wrote:
>> On 1/18/25 21:56, Uwe Kleine-König wrote:
>>> Anyhow, I'll investigate how to update dnsmasq on my OpenWrt machine
>>> with your patch and report back.
>>
>> Thanks. I did some more testing and found a couple more bugs. One is
>> theoretical and one is real in the sense that I saw it happen, but it
>> requires the forwarder part of dnsmasq to be configured with
>>
>>   --cache-rr=ANY,
>>
>> so you probably haven't hit it. Anyway, I tagged 2.91test8, so best to test
>> that.
> 
> OK I did, and I see an improvement, namely:
> 
> 	root at happy:~# dig +dnssec kk4.kleine-koenig.org DS
> 
> 	; <<>> DiG 9.20.4 <<>> +dnssec kk4.kleine-koenig.org DS
> 	;; global options: +cmd
> 	;; Got answer:
> 	;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45505
> 	;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 1
> 
> 	;; OPT PSEUDOSECTION:
> 	; EDNS: version: 0, flags: do; udp: 1232
> 	; EDE: 29: (Result from negative cache for entire name)
> 	;; QUESTION SECTION:
> 	;kk4.kleine-koenig.org.		IN	DS
> 
> 	;; AUTHORITY SECTION:
> 	kleine-koenig.org.	2295	IN	SOA	ns2.kleine-koenig.org. hostmaster.kleine-koenig.org. 1736985600 86400 7200 3600000 3600
> 	2h1ek1sl5f0n5g07dos4u229nlrldiuh.kleine-koenig.org. 2295 IN NSEC3 1 0 0 - 2P9C6ENEEA87649H171LI9VRHSJHD415 A NS SOA MX TXT AAAA RRSIG DNSKEY NSEC3PARAM CDS CDNSKEY SPF CAA
> 	jsj8simjbajncnrcii8eq3474hg5f6pt.kleine-koenig.org. 2295 IN NSEC3 1 0 0 - KC9F61PEEQM0I99JMFUTDS2AG9ERP4JA CNAME RRSIG
> 	b862q755o9ujc0mu6llpi5hu4n0tm9em.kleine-koenig.org. 2295 IN NSEC3 1 0 0 - BI486GC6KIU7IU4NLOCN8SL91BHSKRV5 A AAAA RRSIG
> 	kleine-koenig.org.	2295	IN	RRSIG	SOA 13 2 86400 20250130000000 20250109000000 34607 kleine-koenig.org. o+4F0Nhr6KWw6dEVfgeGRv4B3n1yjdZKhTCPB03IIK9naZQGvdgUfLV2 PADPEFYtDKv9ePRzyJTxobF+pCa2rA==
> 	2h1ek1sl5f0n5g07dos4u229nlrldiuh.kleine-koenig.org. 2295 IN RRSIG NSEC3 13 3 3600 20250130000000 20250109000000 34607 kleine-koenig.org. 5d5BQRag1NrEKo22RhuvvqUBIq1NJykKUIwZGrzlvmRtvEUwl0VtciHf 6DnomyWFZqx5HIbuhTeOMu9CxdUjTg==
> 	jsj8simjbajncnrcii8eq3474hg5f6pt.kleine-koenig.org. 2295 IN RRSIG NSEC3 13 3 3600 20250130000000 20250109000000 34607 kleine-koenig.org. NzUYWmFm4OhGVMMU6DFFnB+xxzxA8ZOQZkSPXxT6yEaiXVvP4bXziolM 8o/2l0lcGO1j8ARAsVl4feDEfkY09A==
> 	b862q755o9ujc0mu6llpi5hu4n0tm9em.kleine-koenig.org. 2295 IN RRSIG NSEC3 13 3 3600 20250130000000 20250109000000 34607 kleine-koenig.org. Sx2J6xvVOFULEK6uKDMvP+E3gqJ251Dv2rAkLW+w/b/Fokp7Kg8t/oit ZtDSi8InKqXfdiSUzLqWft9sjv2sXA==
> 
> 	;; Query time: 40 msec
> 	;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
> 	;; WHEN: Sun Jan 19 16:53:06 CET 2025
> 	;; MSG SIZE  rcvd: 848
> 
> (which lacked the DNSSEC stuff before).
> 
> *But* the SOA line mentioned there is the public one, which means that
> that
> 
> 	server=/kleine-koenig.org/192.168.128.3
> 
> was ignored here?! (It works when asking directly for the SOA:

It was ignored. The logic is somewhat tortuous, but it goes like this.
The server=/kleine-koenig.org/192.168.128.3 is not available for queries 
which need DNSSEC validation; a DS query always needs DNSSEC validation, 
so it doesn't get sent to 192.168.128.3. If you add a DS record for 
kleine-koenig.org to your config, it should work, assuming that 
192.168.128.3 is DNSSEC capable.
> 
> 	root at happy:~# dig kleine-koenig.org SOA
> 
> 	; <<>> DiG 9.20.4 <<>> kleine-koenig.org SOA
> 	;; global options: +cmd
> 	;; Got answer:
> 	;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54931
> 	;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
> 
> 	;; OPT PSEUDOSECTION:
> 	; EDNS: version: 0, flags:; udp: 1232
> 	;; QUESTION SECTION:
> 	;kleine-koenig.org.		IN	SOA
> 
> 	;; ANSWER SECTION:
> 	kleine-koenig.org.	3496	IN	SOA	ns1.kleine-koenig.org. hostmaster.kleine-koenig.org. 1736985600 86400 7200 3600000 3600
> 
> 	;; Query time: 30 msec
> 	;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
> 	;; WHEN: Sun Jan 19 17:27:26 CET 2025
> 	;; MSG SIZE  rcvd: 97
> 
> (note ns1.kleine-koenig.org for internal vs. ns2.kleine-koenig.org for
> external).
> 
>> The NS record is fine. It does get answered from the --auth-server param and
>> a client should get the same answer from either the parent zone's auth
>> server or the child zone's as long as both have been configured the same.
>> It's in the unsigned child zone, so DNSSEC RRs don't apply.
> 
> However I cannot confirm that: As in the first mail reported I don't get
> any answer when asking for the NS record from the forwarder:
> 
> 	root at happy:~# dig kk4.kleine-koenig.org NS
> 
> 	; <<>> DiG 9.20.4 <<>> kk4.kleine-koenig.org NS
> 	;; global options: +cmd
> 	;; Got answer:
> 	;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19436
> 	;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> 
> 	;; OPT PSEUDOSECTION:
> 	; EDNS: version: 0, flags:; udp: 1232
> 	;; QUESTION SECTION:
> 	;kk4.kleine-koenig.org.		IN	NS
> 
> 	;; Query time: 0 msec
> 	;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
> 	;; WHEN: Sun Jan 19 16:54:52 CET 2025
> 	;; MSG SIZE  rcvd: 50
> 
> dnsmasq logs the follwing for that query:
> 
> 	Sun Jan 19 17:30:09 2025 daemon.info dnsmasq[1]: 99 127.0.0.1/57004 query[NS] kk4.kleine-koenig.org from 127.0.0.1
> 	Sun Jan 19 17:30:09 2025 daemon.info dnsmasq[1]: 99 127.0.0.1/57004 config kk4.kleine-koenig.org is NODATA

I can't reproduce this here it works for me.
> 
> Not sure this is a problem for the DNSSEC verification though.

It shouldn't be.
> 
> But there is an answer from the auth side:
> 
> 	root at happy:~# dig @192.168.128.4 kk4.kleine-koenig.org NS
> 
> 	; <<>> DiG 9.20.4 <<>> @192.168.128.4 kk4.kleine-koenig.org NS
> 	; (1 server found)
> 	;; global options: +cmd
> 	;; Got answer:
> 	;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19283
> 	;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
> 	;; WARNING: recursion requested but not available
> 
> 	;; OPT PSEUDOSECTION:
> 	; EDNS: version: 0, flags:; udp: 1232
> 	;; QUESTION SECTION:
> 	;kk4.kleine-koenig.org.		IN	NS
> 
> 	;; ANSWER SECTION:
> 	kk4.kleine-koenig.org.	600	IN	NS	happy.kleine-koenig.org.
> 
> 	;; Query time: 0 msec
> 	;; SERVER: 192.168.128.4#53(192.168.128.4) (UDP)
> 	;; WHEN: Sun Jan 19 16:55:01 CET 2025
> 	;; MSG SIZE  rcvd: 108
> 
>> The DS record is the only thing that HAS to come from the parent, to prove
>> that the child is not signed.
> 
> Ack.
> 
> Apart from the wrong server being asked I don't spot a relevant issue
> when comparing the output of
> 
> 	delv +rtrace +mtrace @192.168.128.3 happy.kk4.kleine-koenig.org
> 	delv +rtrace +mtrace @127.0.0.1 happy.kk4.kleine-koenig.org
> 
> I don't wanna spam the list with these outputs, but I can provide them
> in private mail if you're interested. Having said that I think asking
> the wrong server for some queries is a valid excuse for delv still
> failing because the non-existance for kk4.kleine-koenig.org/DS isn't
> properly signed then.

Send me stuff off-list. I'd like to see dnsmasq logs too.


Cheers,

Simon.


> 
> Best regards
> Uwe

More information about the Dnsmasq-discuss mailing list