[Dnsmasq-discuss] querying DS from wrong server
Simon Kelley
simon at thekelleys.org.uk
Mon Jul 7 17:06:49 UTC 2025
On 7/7/25 08:40, Uwe Kleine-König wrote:
> Hello Simon,
>
> thanks for your patch!
>
> On 7/7/25 00:37, Simon Kelley wrote:
>> On 6/23/25 21:44, Uwe Kleine-König wrote:
>>> Hello,
>>>
>>> back in January I hit a DNSSEC related problem that I reported on that
>>> list, and that resulted in commit
>>> 8ce27433f8b2e17c557cb55e4f16941d309deeac.
>>>
>>> Now I slightly changed my setup to make it more robust, it works as
>>> follows now:
>>>
>>> I have a authoritative DNS server for kleine-koenig.org running on
>>> [::1]:10053 and dnsmasq (running on OpenWrt) configured with
>>>
>>> server=/kleine-koenig.org/::1#10053
>>> domain=kk4.kleine-koenig.org
>>>
>>> . The problem I have now is that a dnssec verifying resolver querying the
>>> forwarding side of dnsmasq sees:
>>>
>>> $ delv www.kleine-koenig.org
>>> ;; broken trust chain resolving 'kleine-koenig.org/DNSKEY/IN': ::1#53
>>> ;; broken trust chain resolving 'www.kleine-koenig.org/A/IN': 127.0.0.1#53
>>> ;; resolution failed: broken trust chain
>>>
>>> I think the problem is that the DS query for kleine-koenig.org is also
>>> forwarded to [::1]:10053. Instead it should be forwarded to the same
>>> server that (non-DS) queries for .org are sent to.
>>>
>>> So the logic implemented in 8ce27433f8b2e17c557cb55e4f16941d309deeac was
>>> to short-sighted, a DS query should always go to the parent; not only for
>>> the zones that dnsmasq is authoritative for.
>>
>> Agreed, I just pushed 2.92test15 which implements this.
>>
>> I did a load of testing, and I think every situation works now.
>>
>> Domain specific server, no DNSSEC records, for a domain which is provably not signed higher up the hierarchy.
>>
>> Domain specific server, no DNSSEC records, for a domain which should be signed. (Dnsmasq gives this the benefit of the doubt, but logs a warning.)
>>
>> Domain specific server with DNSSEC records, that the higher domains don't have DS record for, but there is trust anchor in dnsmasq config.
>>
>> Domain specific server with DNSSEC records, that the higher domains do have DS record for.
>>
>> For those last two, DS queries work the same way, returning either the local trust anchor, or the DS from the parent.
>
> I think that's still broken. To use a testcase that we both can use, I did the following:
>
> dnsmasq -p 10053 -d -q --server=/debian.org/dns4.easydns.info
>
> and then query using:
>
> $ delv @::1 -p 10053 debian.org A
> ;; chase DS servers resolving 'debian.org/DS/IN': ::1#10053
> ;; missing expected cookie from ::1#10053
> ;; missing expected cookie from ::1#10053
> ;; missing expected cookie from ::1#10053
> ;; missing expected cookie from ::1#10053
> ;; broken trust chain resolving 'debian.org/DNSKEY/IN': ::1#10053
> ;; broken trust chain resolving 'debian.org/A/IN': ::1#10053
> ;; resolution failed: broken trust chain
>
> . This request makes dnsmasq log:
>
> dnsmasq: query[A] debian.org from ::1
> dnsmasq: forwarded debian.org to 2620:49:4::10
> dnsmasq: reply debian.org is 151.101.194.132
> dnsmasq: reply debian.org is 151.101.66.132
> dnsmasq: reply debian.org is 151.101.2.132
> dnsmasq: reply debian.org is 151.101.130.132
> dnsmasq: reply debian.org is <RRSIG>
> dnsmasq: query[DNSKEY] debian.org from ::1
> dnsmasq: forwarded debian.org to 2620:49:4::10
> dnsmasq: reply is truncated
> dnsmasq: query[DNSKEY] debian.org from ::1
> dnsmasq: forwarded debian.org to 2620:49:4::10
> dnsmasq: reply debian.org is <DNSKEY>
> dnsmasq: reply debian.org is <DNSKEY>
> dnsmasq: reply debian.org is <DNSKEY>
> dnsmasq: reply debian.org is <RRSIG>
> dnsmasq: reply debian.org is <RRSIG>
> dnsmasq: query[DS] debian.org from ::1
> dnsmasq: forwarded debian.org to 2620:49:4::10
> dnsmasq: reply debian.org is NODATA
> ...
>
> In my understanding the DS query must not go to 2620:49:4::10.
and it does, if you compile dnsmasq with DNSSEC validation, and enable
it :) That's of course wrong, blame force of habit.
2.92test16 should fix this. It certainly works for me in your excellent
test case.
Cheers,
Simon.
>
> Best regards
> Uwe
More information about the Dnsmasq-discuss
mailing list