[Dnsmasq-discuss] querying DS from wrong server

Mon Jul 7 21:01:44 UTC 2025

Hello Simon,

On 7/7/25 19:06, Simon Kelley wrote:
> On 7/7/25 08:40, Uwe Kleine-König wrote:
>>
>> I think that's still broken. To use a testcase that we both can use, I did the following:
>>
>>     dnsmasq -p 10053 -d -q --server=/debian.org/dns4.easydns.info
>>
>> and then query using:
>>
>>     $ delv @::1 -p 10053 debian.org A
>>     ;; chase DS servers resolving 'debian.org/DS/IN': ::1#10053
>>     ;; missing expected cookie from ::1#10053
>>     ;; missing expected cookie from ::1#10053
>>     ;; missing expected cookie from ::1#10053
>>     ;; missing expected cookie from ::1#10053
>>     ;; broken trust chain resolving 'debian.org/DNSKEY/IN': ::1#10053
>>     ;; broken trust chain resolving 'debian.org/A/IN': ::1#10053
>>     ;; resolution failed: broken trust chain
>>
>> . This request makes dnsmasq log:
>>
>>     dnsmasq: query[A] debian.org from ::1
>>     dnsmasq: forwarded debian.org to 2620:49:4::10
>>     dnsmasq: reply debian.org is 151.101.194.132
>>     dnsmasq: reply debian.org is 151.101.66.132
>>     dnsmasq: reply debian.org is 151.101.2.132
>>     dnsmasq: reply debian.org is 151.101.130.132
>>     dnsmasq: reply debian.org is <RRSIG>
>>     dnsmasq: query[DNSKEY] debian.org from ::1
>>     dnsmasq: forwarded debian.org to 2620:49:4::10
>>     dnsmasq: reply is truncated
>>     dnsmasq: query[DNSKEY] debian.org from ::1
>>     dnsmasq: forwarded debian.org to 2620:49:4::10
>>     dnsmasq: reply debian.org is <DNSKEY>
>>     dnsmasq: reply debian.org is <DNSKEY>
>>     dnsmasq: reply debian.org is <DNSKEY>
>>     dnsmasq: reply debian.org is <RRSIG>
>>     dnsmasq: reply debian.org is <RRSIG>
>>     dnsmasq: query[DS] debian.org from ::1
>>     dnsmasq: forwarded debian.org to 2620:49:4::10
>>     dnsmasq: reply debian.org is NODATA
>>     ...
>>
>> In my understanding the DS query must not go to 2620:49:4::10.
> 
> and it does, if you compile dnsmasq with DNSSEC validation, and enable it :) That's of course wrong, blame force of habit.
> 
> 2.92test16 should fix this. It certainly works for me in your excellent test case.

I compiled dnsmasq with DNSSEC support (using `make COPTS=-DHAVE_DNSSEC`) and indeed if I use

	./src/dnsmasq --dnssec --trust-anchor=.,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D -p 10053 -d -q --server=/debian.org/dns4.easydns.info

I get

	$ delv @::1 -p 10053 debian.org
	;; missing expected cookie from ::1#10053
	;; missing expected cookie from ::1#10053
	;; missing expected cookie from ::1#10053
	;; missing expected cookie from ::1#10053
	; fully validated
	debian.org.		300	IN	A	151.101.2.132
	debian.org.		300	IN	A	151.101.66.132
	debian.org.		300	IN	A	151.101.130.132
	debian.org.		300	IN	A	151.101.194.132
	debian.org.		300	IN	RRSIG	A 8 2 300 20250812095101 20250703090442 21715 debian.org. BoFG3VJoDcjug+4Xz6YAYVOwBvKGDlul7WxTkG2EJQm6SOPTec1UCndQ LsKkAAG0PcP9JYwE1AsaJmjsw0jlHSjORjHXb7vodhnbAE6YCWzOw3JX o4mceWXnC1hQCz3/mevuCgzPtaXloWPLf5W+O/lOZkfEr8cdMuFhRAIb 7FFNh4upw9JlTNQbTvG5J/P0lu/OzLeBwkzoxIQN+vjDCa2ATsVGmQy8 J711Bch0f8903xyynXxG27o1xyuNkzYB

I didn't understand what the cookie issue is. And even with this full
setting resolving www.debian.org doesn't work.

I'm not sure what you mean writing "That's of course wrong.". I'd say
that even without DNSSEC enabled (which is mainly about making dnsmasq a
validating resolver) it should be possible to have a validating client.
Is it that what you mean, too?

Best regards
Uwe