[Dnsmasq-discuss] DNSSEC in dnsmasq's parent zone
Uwe Kleine-König
uwe+dnsmasq at kleine-koenig.org
Mon Jan 20 10:32:57 UTC 2025
Hello Simon,
On Sun, Jan 19, 2025 at 11:50:23PM +0000, Simon Kelley wrote:
> On 1/19/25 16:48, Uwe Kleine-König wrote:
> > On Sun, Jan 19, 2025 at 12:07:25AM +0000, Simon Kelley wrote:
> > > On 1/18/25 21:56, Uwe Kleine-König wrote:
> > > > Anyhow, I'll investigate how to update dnsmasq on my OpenWrt machine
> > > > with your patch and report back.
> > >
> > > Thanks. I did some more testing and found a couple more bugs. One is
> > > theoretical and one is real in the sense that I saw it happen, but it
> > > requires the forwarder part of dnsmasq to be configured with
> > >
> > > --cache-rr=ANY,
> > >
> > > so you probably haven't hit it. Anyway, I tagged 2.91test8, so best to test
> > > that.
> >
> > OK I did, and I see an improvement, namely:
> >
> > root at happy:~# dig +dnssec kk4.kleine-koenig.org DS
> >
> > ; <<>> DiG 9.20.4 <<>> +dnssec kk4.kleine-koenig.org DS
> > ;; global options: +cmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45505
> > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 1
> >
> > ;; OPT PSEUDOSECTION:
> > ; EDNS: version: 0, flags: do; udp: 1232
> > ; EDE: 29: (Result from negative cache for entire name)
> > ;; QUESTION SECTION:
> > ;kk4.kleine-koenig.org. IN DS
> >
> > ;; AUTHORITY SECTION:
> > kleine-koenig.org. 2295 IN SOA ns2.kleine-koenig.org. hostmaster.kleine-koenig.org. 1736985600 86400 7200 3600000 3600
> > 2h1ek1sl5f0n5g07dos4u229nlrldiuh.kleine-koenig.org. 2295 IN NSEC3 1 0 0 - 2P9C6ENEEA87649H171LI9VRHSJHD415 A NS SOA MX TXT AAAA RRSIG DNSKEY NSEC3PARAM CDS CDNSKEY SPF CAA
> > jsj8simjbajncnrcii8eq3474hg5f6pt.kleine-koenig.org. 2295 IN NSEC3 1 0 0 - KC9F61PEEQM0I99JMFUTDS2AG9ERP4JA CNAME RRSIG
> > b862q755o9ujc0mu6llpi5hu4n0tm9em.kleine-koenig.org. 2295 IN NSEC3 1 0 0 - BI486GC6KIU7IU4NLOCN8SL91BHSKRV5 A AAAA RRSIG
> > kleine-koenig.org. 2295 IN RRSIG SOA 13 2 86400 20250130000000 20250109000000 34607 kleine-koenig.org. o+4F0Nhr6KWw6dEVfgeGRv4B3n1yjdZKhTCPB03IIK9naZQGvdgUfLV2 PADPEFYtDKv9ePRzyJTxobF+pCa2rA==
> > 2h1ek1sl5f0n5g07dos4u229nlrldiuh.kleine-koenig.org. 2295 IN RRSIG NSEC3 13 3 3600 20250130000000 20250109000000 34607 kleine-koenig.org. 5d5BQRag1NrEKo22RhuvvqUBIq1NJykKUIwZGrzlvmRtvEUwl0VtciHf 6DnomyWFZqx5HIbuhTeOMu9CxdUjTg==
> > jsj8simjbajncnrcii8eq3474hg5f6pt.kleine-koenig.org. 2295 IN RRSIG NSEC3 13 3 3600 20250130000000 20250109000000 34607 kleine-koenig.org. NzUYWmFm4OhGVMMU6DFFnB+xxzxA8ZOQZkSPXxT6yEaiXVvP4bXziolM 8o/2l0lcGO1j8ARAsVl4feDEfkY09A==
> > b862q755o9ujc0mu6llpi5hu4n0tm9em.kleine-koenig.org. 2295 IN RRSIG NSEC3 13 3 3600 20250130000000 20250109000000 34607 kleine-koenig.org. Sx2J6xvVOFULEK6uKDMvP+E3gqJ251Dv2rAkLW+w/b/Fokp7Kg8t/oit ZtDSi8InKqXfdiSUzLqWft9sjv2sXA==
> >
> > ;; Query time: 40 msec
> > ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
> > ;; WHEN: Sun Jan 19 16:53:06 CET 2025
> > ;; MSG SIZE rcvd: 848
> >
> > (which lacked the DNSSEC stuff before).
> >
> > *But* the SOA line mentioned there is the public one, which means that
> > that
> >
> > server=/kleine-koenig.org/192.168.128.3
> >
> > was ignored here?! (It works when asking directly for the SOA:
>
> It was ignored. The logic is somewhat tortuous, but it goes like this.
> The server=/kleine-koenig.org/192.168.128.3 is not available for queries
> which need DNSSEC validation; a DS query always needs DNSSEC validation, so
> it doesn't get sent to 192.168.128.3.
Huh. Is this a bug that is hard to fix, or this is beneficial in any
situation and so works as intended?
Anyhow, for testing I added an NS record for kk4.kleine-koenig.org to the
public zone and dropped
server=/kleine-koenig.org/192.168.128.3
from the config. Then I get
root at happy:~# delv happy.kk4.kleine-koenig.org
; unsigned answer
happy.kk4.kleine-koenig.org. 0 IN A 192.168.144.1
happy.kk4.kleine-koenig.org. 0 IN A 192.168.145.1
.
> If you add a DS record for
> kleine-koenig.org to your config, it should work, assuming that
> 192.168.128.3 is DNSSEC capable.
After first trying with dns-rr= which somewhat worked (as I succeeded to
create a DS record with it), it didn't impress dnsmasq enough to make
dnssec verification happy.
Now I added
trust-anchor=kleine-koenig.org,34607,13,2,FF05DA4F2E6A2692421FA7ED99DF07205A6A04ABC917F26CD7E781520A2652D1
which matches the DS record for kleine-koenig.org in both the public DNS
and the internal view and now delv happy.kk4.kleine-koenig.org works
(same output as above, with "unsigned answer" as expected).
That's a bit inconvenient because I have to duplicate that information.
An "auto" mode that just uses kleine-koenig.org/DS would be good. And if
the config doesn't match, DNSSEC is broken anyhow, isn't it?
So IMHO such an auto-mode being the default would be sane, but that
relates to the question above about why DNSSEC isn't used for server=.
(Side note: I first tried:
trust-anchor=,kleine-koenig.org,34607,13,2,FF05DA4F2E6A2692421FA7ED99DF07205A6A04ABC917F26CD7E781520A2652D1
and
trust-anchor=IN,kleine-koenig.org,34607,13,2,FF05DA4F2E6A2692421FA7ED99DF07205A6A04ABC917F26CD7E781520A2652D1
(with a , after the = and class=IN respectively), but dnsmasq didn't
like that
dnsmasq[1]: bad trust anchor at line 43 of /etc/dnsmasq.conf
despite the manpage stating
--trust-anchor=[<class>],<domain>,<key-tag>,<algorithm>,<digest-type>,<digest>
which suggests to me that the , has to be there. (And I have no idea
what to pass for class apart from "IN".))
> Send me stuff off-list. I'd like to see dnsmasq logs too.
Is there anything left to debug now? The only unexpected thing I still
have on my radar is that there is no answer for
dig kk4.kleine-koenig.org NS
which you said would work on your end.
There isn't much involved and so I send it here:
root at happy:~# dig kk4.kleine-koenig.org NS
; <<>> DiG 9.20.4 <<>> kk4.kleine-koenig.org NS
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15630
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;kk4.kleine-koenig.org. IN NS
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Mon Jan 20 11:12:32 CET 2025
;; MSG SIZE rcvd: 50
which logs:
Mon Jan 20 11:12:32 2025 daemon.info dnsmasq[1]: 1 127.0.0.1/56319 query[NS] kk4.kleine-koenig.org from 127.0.0.1
Mon Jan 20 11:12:32 2025 daemon.info dnsmasq[1]: 1 127.0.0.1/56319 config kk4.kleine-koenig.org is NODATA
while asking the auth end results in:
root at happy:~# dig @192.168.128.4 kk4.kleine-koenig.org NS
; <<>> DiG 9.20.4 <<>> @192.168.128.4 kk4.kleine-koenig.org NS
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59915
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;kk4.kleine-koenig.org. IN NS
;; ANSWER SECTION:
kk4.kleine-koenig.org. 600 IN NS happy.kleine-koenig.org.
;; Query time: 0 msec
;; SERVER: 192.168.128.4#53(192.168.128.4) (UDP)
;; WHEN: Mon Jan 20 11:13:31 CET 2025
;; MSG SIZE rcvd: 108
with
Mon Jan 20 11:13:31 2025 daemon.info dnsmasq[1]: 2 192.168.128.4/42861 auth[NS] kk4.kleine-koenig.org from 192.168.128.4
Mon Jan 20 11:13:31 2025 daemon.info dnsmasq[1]: 2 192.168.128.4/42861 auth kk4.kleine-koenig.org is <NS>
in the logs.
I adapted openwrt to use 2.91test8 as can be seen on
https://github.com/ukleinek/openwrt/tree/dnsmasq-2.91 (I was a bit
irritated about the indentation changes to 200-ubus_dns.patch, but I
would be surprised if that was the culprit), and then used the default
configuration for building. The used runtime configuration file
contains:
# auto-generated config file from /etc/config/dhcp
conf-file=/etc/dnsmasq.conf
dhcp-authoritative
domain-needed
log-queries=extra
localise-queries
read-ethers
enable-ubus=dnsmasq
expand-hosts
bind-dynamic
local-service
cache-size=1000
edns-packet-max=1232
domain=kk4.kleine-koenig.org
local=/kk4.kleine-koenig.org/
server=/ext.kleine-koenig.org/162.55.41.232
server=/kleine-koenig.org/192.168.128.3
addn-hosts=/tmp/hosts
dhcp-leasefile=/tmp/dhcp.leases
resolv-file=/tmp/resolv.conf.d/resolv.conf.auto
stop-dns-rebind
rebind-localhost-ok
rebind-domain-ok=kleine-koenig.org
rebind-domain-ok=r9.haus-des-engagements.de
conf-file=/usr/share/dnsmasq/trust-anchors.conf
dnssec
dhcp-broadcast=tag:needs-broadcast
conf-dir=/tmp/dnsmasq.cfg01411c.d
user=dnsmasq
group=dnsmasq
dhcp-ignore-names=tag:dhcp_bogus_hostname
conf-file=/usr/share/dnsmasq/dhcpbogushostname.conf
bogus-priv
conf-file=/usr/share/dnsmasq/rfc6761.conf
dhcp-range=set:lan,192.168.144.100,192.168.144.249,255.255.255.0,12h
dhcp-range=set:lab,192.168.145.100,192.168.145.249,255.255.255.0,12h
no-dhcp-interface=eth2
and /etc/dnsmasq.conf has:
auth-server=happy.kleine-koenig.org,kkvpn
auth-zone=kk4.kleine-koenig.org
trust-anchor=kleine-koenig.org,34607,13,2,FF05DA4F2E6A2692421FA7ED99DF07205A6A04ABC917F26CD7E781520A2652D1
.
Best regards
Uwe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20250120/a43550d4/attachment-0001.sig>
More information about the Dnsmasq-discuss
mailing list