From: Simon Kelley <simon@thekelleys.org.uk>
To: cerowrt-devel@lists.bufferbloat.net
Subject: Re: [Cerowrt-devel] Fwd: [Dnsmasq-discuss] Testers wanted: DNSSEC.
Date: Wed, 05 Feb 2014 19:51:33 +0000 [thread overview]
Message-ID: <52F29645.6010001@thekelleys.org.uk> (raw)
In-Reply-To: <87ob2lmqny.fsf@toke.dk>
On 05/02/14 17:10, Toke Høiland-Jørgensen wrote:
> Toke Høiland-Jørgensen <toke@toke.dk> writes:
>
>> Can add it to my bufferbloat OBS :)
>
> Right, so packages available for Arch, Debian 7 and Ubuntu 12.04, 12.10
> and 13.10 are available from here:
> https://build.opensuse.org/project/repositories/home:tohojo:dnsmasq
>
> For some reason, signature verification is failing for me on the Arch
> repo.
Same CPU architecture as the working systems, or different?
>
>
> Also, installed it on my workstation, and it seems to do *something* at
> least. Running with --log-queries I get output like this:
>
> dnsmasq[19525]: dnssec-query[DNSKEY] tohojo.dk to 127.0.0.1
> dnsmasq[19525]: dnssec-query[DNSKEY] tohojo.dk to 127.0.0.1
> dnsmasq[19525]: dnssec-query[DS] tohojo.dk to 127.0.0.1
> dnsmasq[19525]: dnssec-query[DS] tohojo.dk to 127.0.0.1
> dnsmasq[19525]: reply tohojo.dk is DS keytag 49471
> dnsmasq[19525]: reply tohojo.dk is DNSKEY keytag 30141
> dnsmasq[19525]: reply tohojo.dk is DNSKEY keytag 49471
> dnsmasq[19525]: validation result is SECURE
>
> (I'm still running BIND on localhost on a different port which is why
> it's forwarded to there...)
>
> And sometimes there's also lines saying
>
> dnsmasq[19525]: validation result is INSECURE
>
> but mostly from in-addr.arpa and other places that I wouldn't expect to
> be verified.
>
> Finally there's a bunch of queries that don't say anything about dnssec
> anywhere.
>
That's expected for 1) queries answered from local configuration
(/etc/hosts etc) 2) queries answered with data from DHCP (this is
probably not relevant) 3) queries answered from the cache. The
verification result is stored in the cache and not repeated.
The log gives the source of the data, so these should be identifiable.
> Oh, and --dnssec-debug doesn't seem to do anything.
It does two things, the results of which are not externally obvious.
1) It sets the cd (checking disabled) bit in upstream queries, so that
it's possible to check that invalid data is identified, rather than just
getting a SERVFAIL from the upstream server.
2) It suppresses SERVFAIL as the reply to queries whose answer doesn't
verify, for similar reasons.
Cheers,
Simon.
>
> -Toke
>
>
>
> _______________________________________________
> Cerowrt-devel mailing list
> Cerowrt-devel@lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/cerowrt-devel
>
next prev parent reply other threads:[~2014-02-05 19:51 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-02-04 16:20 Dave Taht
2014-02-05 7:13 ` Toke Høiland-Jørgensen
2014-02-05 17:10 ` Toke Høiland-Jørgensen
2014-02-05 19:51 ` Simon Kelley [this message]
2014-02-05 20:09 ` Toke Høiland-Jørgensen
2014-02-05 22:26 ` Simon Kelley
2014-02-06 7:28 ` Toke Høiland-Jørgensen
2014-02-06 10:53 ` Simon Kelley
2014-02-06 10:57 ` Toke Høiland-Jørgensen
2014-02-06 11:27 ` Simon Kelley
2014-02-06 12:35 ` Toke Høiland-Jørgensen
2014-02-06 15:01 ` Simon Kelley
2014-02-09 12:09 ` Toke Høiland-Jørgensen
2014-02-09 12:23 ` Simon Kelley
2014-02-09 12:48 ` Toke Høiland-Jørgensen
2014-02-09 18:04 ` Dave Taht
2014-02-09 18:47 ` Toke Høiland-Jørgensen
2014-02-09 21:02 ` Simon Kelley
2014-02-09 20:59 ` Simon Kelley
2014-02-09 21:07 ` Dave Taht
2014-02-09 21:16 ` Toke Høiland-Jørgensen
2014-02-09 21:33 ` Toke Høiland-Jørgensen
2014-02-10 10:50 ` Simon Kelley
2014-02-10 11:39 ` Simon Kelley
2014-02-10 12:59 ` Toke Høiland-Jørgensen
2014-02-10 16:45 ` Simon Kelley
2014-02-10 16:59 ` Toke Høiland-Jørgensen
2014-02-10 17:12 ` Simon Kelley
2014-02-10 17:14 ` Dave Taht
2014-02-10 21:47 ` Simon Kelley
2014-02-11 11:34 ` Simon Kelley
2014-02-11 14:01 ` Toke Høiland-Jørgensen
2014-02-11 15:51 ` Simon Kelley
2014-02-11 16:25 ` Toke Høiland-Jørgensen
2014-02-06 13:42 ` Toke Høiland-Jørgensen
2014-02-06 14:40 ` Simon Kelley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://lists.bufferbloat.net/postorius/lists/cerowrt-devel.lists.bufferbloat.net/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=52F29645.6010001@thekelleys.org.uk \
--to=simon@thekelleys.org.uk \
--cc=cerowrt-devel@lists.bufferbloat.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox