From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from eyas.biff.org.uk (eyas.biff.org.uk [IPv6:2001:41c8:1:519c::20]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (Client did not present a certificate) by huchra.bufferbloat.net (Postfix) with ESMTPS id 2BEA021F18A for ; Wed, 5 Feb 2014 11:51:43 -0800 (PST) Received: from cl-1441.lon-02.gb.sixxs.net ([2a01:348:6:5a0::2]:41173 helo=central.thekelleys.org.uk) by eyas.biff.org.uk with esmtpsa (TLS1.0:RSA_AES_256_CBC_SHA1:256) (Exim 4.80) (envelope-from ) id 1WB8VY-00026m-L3 for cerowrt-devel@lists.bufferbloat.net; Wed, 05 Feb 2014 19:51:40 +0000 Received: from host81-149-103-178.in-addr.btopenworld.com ([81.149.103.178] helo=[192.168.150.151]) by central.thekelleys.org.uk with esmtpa (Exim 4.72) (envelope-from ) id 1WB8VX-0007RS-II for cerowrt-devel@lists.bufferbloat.net; Wed, 05 Feb 2014 19:51:39 +0000 Message-ID: <52F29645.6010001@thekelleys.org.uk> Date: Wed, 05 Feb 2014 19:51:33 +0000 From: Simon Kelley User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0 MIME-Version: 1.0 To: cerowrt-devel@lists.bufferbloat.net References: <87a9e6xcae.fsf@alrua-x1.kau.toke.dk> <87ob2lmqny.fsf@toke.dk> In-Reply-To: <87ob2lmqny.fsf@toke.dk> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Subject: Re: [Cerowrt-devel] Fwd: [Dnsmasq-discuss] Testers wanted: DNSSEC. X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Feb 2014 19:51:43 -0000 On 05/02/14 17:10, Toke Høiland-Jørgensen wrote: > Toke Høiland-Jørgensen writes: > >> Can add it to my bufferbloat OBS :) > > Right, so packages available for Arch, Debian 7 and Ubuntu 12.04, 12.10 > and 13.10 are available from here: > https://build.opensuse.org/project/repositories/home:tohojo:dnsmasq > > For some reason, signature verification is failing for me on the Arch > repo. Same CPU architecture as the working systems, or different? > > > Also, installed it on my workstation, and it seems to do *something* at > least. Running with --log-queries I get output like this: > > dnsmasq[19525]: dnssec-query[DNSKEY] tohojo.dk to 127.0.0.1 > dnsmasq[19525]: dnssec-query[DNSKEY] tohojo.dk to 127.0.0.1 > dnsmasq[19525]: dnssec-query[DS] tohojo.dk to 127.0.0.1 > dnsmasq[19525]: dnssec-query[DS] tohojo.dk to 127.0.0.1 > dnsmasq[19525]: reply tohojo.dk is DS keytag 49471 > dnsmasq[19525]: reply tohojo.dk is DNSKEY keytag 30141 > dnsmasq[19525]: reply tohojo.dk is DNSKEY keytag 49471 > dnsmasq[19525]: validation result is SECURE > > (I'm still running BIND on localhost on a different port which is why > it's forwarded to there...) > > And sometimes there's also lines saying > > dnsmasq[19525]: validation result is INSECURE > > but mostly from in-addr.arpa and other places that I wouldn't expect to > be verified. > > Finally there's a bunch of queries that don't say anything about dnssec > anywhere. > That's expected for 1) queries answered from local configuration (/etc/hosts etc) 2) queries answered with data from DHCP (this is probably not relevant) 3) queries answered from the cache. The verification result is stored in the cache and not repeated. The log gives the source of the data, so these should be identifiable. > Oh, and --dnssec-debug doesn't seem to do anything. It does two things, the results of which are not externally obvious. 1) It sets the cd (checking disabled) bit in upstream queries, so that it's possible to check that invalid data is identified, rather than just getting a SERVFAIL from the upstream server. 2) It suppresses SERVFAIL as the reply to queries whose answer doesn't verify, for similar reasons. Cheers, Simon. > > -Toke > > > > _______________________________________________ > Cerowrt-devel mailing list > Cerowrt-devel@lists.bufferbloat.net > https://lists.bufferbloat.net/listinfo/cerowrt-devel >