[Dnsmasq-discuss] querying DS from wrong server
Uwe Kleine-König
uwe+dnsmasq at kleine-koenig.org
Mon Jul 7 07:40:53 UTC 2025
Hello Simon,
thanks for your patch!
On 7/7/25 00:37, Simon Kelley wrote:
> On 6/23/25 21:44, Uwe Kleine-König wrote:
>> Hello,
>>
>> back in January I hit a DNSSEC related problem that I reported on that
>> list, and that resulted in commit
>> 8ce27433f8b2e17c557cb55e4f16941d309deeac.
>>
>> Now I slightly changed my setup to make it more robust, it works as
>> follows now:
>>
>> I have a authoritative DNS server for kleine-koenig.org running on
>> [::1]:10053 and dnsmasq (running on OpenWrt) configured with
>>
>> server=/kleine-koenig.org/::1#10053
>> domain=kk4.kleine-koenig.org
>>
>> . The problem I have now is that a dnssec verifying resolver querying the
>> forwarding side of dnsmasq sees:
>>
>> $ delv www.kleine-koenig.org
>> ;; broken trust chain resolving 'kleine-koenig.org/DNSKEY/IN': ::1#53
>> ;; broken trust chain resolving 'www.kleine-koenig.org/A/IN': 127.0.0.1#53
>> ;; resolution failed: broken trust chain
>>
>> I think the problem is that the DS query for kleine-koenig.org is also
>> forwarded to [::1]:10053. Instead it should be forwarded to the same
>> server that (non-DS) queries for .org are sent to.
>>
>> So the logic implemented in 8ce27433f8b2e17c557cb55e4f16941d309deeac was
>> to short-sighted, a DS query should always go to the parent; not only for
>> the zones that dnsmasq is authoritative for.
>
> Agreed, I just pushed 2.92test15 which implements this.
>
> I did a load of testing, and I think every situation works now.
>
> Domain specific server, no DNSSEC records, for a domain which is provably not signed higher up the hierarchy.
>
> Domain specific server, no DNSSEC records, for a domain which should be signed. (Dnsmasq gives this the benefit of the doubt, but logs a warning.)
>
> Domain specific server with DNSSEC records, that the higher domains don't have DS record for, but there is trust anchor in dnsmasq config.
>
> Domain specific server with DNSSEC records, that the higher domains do have DS record for.
>
> For those last two, DS queries work the same way, returning either the local trust anchor, or the DS from the parent.
I think that's still broken. To use a testcase that we both can use, I did the following:
dnsmasq -p 10053 -d -q --server=/debian.org/dns4.easydns.info
and then query using:
$ delv @::1 -p 10053 debian.org A
;; chase DS servers resolving 'debian.org/DS/IN': ::1#10053
;; missing expected cookie from ::1#10053
;; missing expected cookie from ::1#10053
;; missing expected cookie from ::1#10053
;; missing expected cookie from ::1#10053
;; broken trust chain resolving 'debian.org/DNSKEY/IN': ::1#10053
;; broken trust chain resolving 'debian.org/A/IN': ::1#10053
;; resolution failed: broken trust chain
. This request makes dnsmasq log:
dnsmasq: query[A] debian.org from ::1
dnsmasq: forwarded debian.org to 2620:49:4::10
dnsmasq: reply debian.org is 151.101.194.132
dnsmasq: reply debian.org is 151.101.66.132
dnsmasq: reply debian.org is 151.101.2.132
dnsmasq: reply debian.org is 151.101.130.132
dnsmasq: reply debian.org is <RRSIG>
dnsmasq: query[DNSKEY] debian.org from ::1
dnsmasq: forwarded debian.org to 2620:49:4::10
dnsmasq: reply is truncated
dnsmasq: query[DNSKEY] debian.org from ::1
dnsmasq: forwarded debian.org to 2620:49:4::10
dnsmasq: reply debian.org is <DNSKEY>
dnsmasq: reply debian.org is <DNSKEY>
dnsmasq: reply debian.org is <DNSKEY>
dnsmasq: reply debian.org is <RRSIG>
dnsmasq: reply debian.org is <RRSIG>
dnsmasq: query[DS] debian.org from ::1
dnsmasq: forwarded debian.org to 2620:49:4::10
dnsmasq: reply debian.org is NODATA
...
In my understanding the DS query must not go to 2620:49:4::10.
Best regards
Uwe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20250707/c40275f8/attachment.sig>
More information about the Dnsmasq-discuss
mailing list