From: Simon Kelley <simon@thekelleys.org.uk>
To: "Toke Høiland-Jørgensen" <toke@toke.dk>
Cc: cerowrt-devel@lists.bufferbloat.net
Subject: Re: [Cerowrt-devel] Fwd: [Dnsmasq-discuss] Testers wanted: DNSSEC.
Date: Sun, 09 Feb 2014 20:59:40 +0000 [thread overview]
Message-ID: <52F7EC3C.4060505@thekelleys.org.uk> (raw)
In-Reply-To: <87lhxk78pa.fsf@toke.dk>
On 09/02/14 12:48, Toke Høiland-Jørgensen wrote:
> Simon Kelley<simon@thekelleys.org.uk> writes:
>
>> Hmm, that domain validates for me here. It probably makes sense to
>> turn dnssec-debug _off_. One of the things it does is to set the
>> Checking Disabled bit in queries upstream. I'm advised that this is
>> not a good thing to do, since it means the upstream nameserver can
>> return teh first data it finds, even if it doesn't resolve, whilst
>> without CD, the it will keep trying other authoritative servers to get
>> valid data. I don't understand the details, but that would seem
>> applicable here.
>
> Well, turning off dnssec-debug just means I have no name resolution for
> such domains:
>
> $ dig +dnssec +sigchase mail2.tohojo.dk @10.42.8.1 :(
> ;; NO ANSWERS: no more
> We want to prove the non-existence of a type of rdata 1 or of the zone:
> ;; nothing in authority section : impossible to validate the non-existence : FAILED
>
> ;; Impossible to verify the Non-existence, the NSEC RRset can't be validated: FAILED
>
> $ host mail2.tohojo.dk 10.42.8.1
> Using domain server:
> Name: 10.42.8.1
> Address: 10.42.8.1#53
> Aliases:
>
> Host mail2.tohojo.dk not found: 3(NXDOMAIN)
>
>
> And the dnsmasq logs:
>
> Sun Feb 9 13:45:22 2014 daemon.info dnsmasq[6698]: query[A] mail2.tohojo.dk from 10.42.8.106
> Sun Feb 9 13:45:22 2014 daemon.info dnsmasq[6698]: forwarded mail2.tohojo.dk to 213.80.98.3
> Sun Feb 9 13:45:22 2014 daemon.info dnsmasq[6698]: forwarded mail2.tohojo.dk to 213.80.98.2
> Sun Feb 9 13:45:22 2014 daemon.info dnsmasq[6698]: dnssec-query[DNSKEY] tohojo.dk to 213.80.98.2
> Sun Feb 9 13:45:22 2014 daemon.info dnsmasq[6698]: dnssec-query[DS] tohojo.dk to 213.80.98.2
> Sun Feb 9 13:45:22 2014 daemon.info dnsmasq[6698]: dnssec-query[DNSKEY] dk to 213.80.98.2
> Sun Feb 9 13:45:22 2014 daemon.info dnsmasq[6698]: dnssec-query[DS] dk to 213.80.98.2
> Sun Feb 9 13:45:22 2014 daemon.info dnsmasq[6698]: reply dk is BOGUS DS
> Sun Feb 9 13:45:22 2014 daemon.info dnsmasq[6698]: validation result is BOGUS
> Sun Feb 9 13:45:22 2014 daemon.info dnsmasq[6698]: reply mail2.tohojo.dk is 144.76.141.112
> Sun Feb 9 13:45:32 2014 daemon.info dnsmasq[6698]: query[A] mail2.tohojo.dk from 10.42.8.106
> Sun Feb 9 13:45:32 2014 daemon.info dnsmasq[6698]: forwarded mail2.tohojo.dk to 213.80.98.2
> Sun Feb 9 13:45:32 2014 daemon.info dnsmasq[6698]: dnssec-query[DNSKEY] tohojo.dk to 213.80.98.2
> Sun Feb 9 13:45:32 2014 daemon.info dnsmasq[6698]: dnssec-query[DS] tohojo.dk to 213.80.98.2
> Sun Feb 9 13:45:32 2014 daemon.info dnsmasq[6698]: dnssec-query[DNSKEY] dk to 213.80.98.2
> Sun Feb 9 13:45:32 2014 daemon.info dnsmasq[6698]: dnssec-query[DS] dk to 213.80.98.2
> Sun Feb 9 13:45:32 2014 daemon.info dnsmasq[6698]: reply dk is BOGUS DS
> Sun Feb 9 13:45:32 2014 daemon.info dnsmasq[6698]: validation result is BOGUS
> Sun Feb 9 13:45:32 2014 daemon.info dnsmasq[6698]: reply mail2.tohojo.dk is 144.76.141.112
>
> It works on my other machine that's not running on cerowrt; so perhaps
> it's something architecture-specific?
It's possible, indeed that's happened during testing.
Dave, could you talk me through getting the latest dnsmasq package on
the 3800 you gave me?
Note that here, the inception time for the signature of the DS is
20140208022128, UTC ie late yesterday. Are you sure your clock is
correct, time and _date_?
Please clould you post the result of running
dig @213.80.98.2 +dnssec ds dk
just to check you're getting the same data. 213.80.98.2 won't talk to me.
>
>
>
> Interestingly, after failing a DNSSEC resolution, dnsmasq then tries to
> append the configured domain:
>
> Sun Feb 9 13:45:32 2014 daemon.info dnsmasq[6698]: query[A] mail2.tohojo.dk.karlstad.toke.dk from 10.42.8.106
> Sun Feb 9 13:45:32 2014 daemon.info dnsmasq[6698]: config mail2.tohojo.dk.karlstad.toke.dk is NXDOMAIN
>
> This is probably not desirable?
That's not dnsmasq, it's the resolver in 10.42.8.106, probably because
/etc/resolv.conf has a search path configured and the wrong value for
ndots. See man resolv.conf for details.
>
>> OK, you've got to the trust-anchor root keys which are hardwired in as
>> part of the dnsmasq configuration. As such, Dnsmasq assumes they are
>> valid and doesn't need RRSIGs to check their self-signing. As the
>> signatures aren't known, they are not supplied with a query for DNSKEY
>> of the root zone. That may be wrong. When providing trust anchors to
>> eg BIND) is it possible/normal to provide the SIGS too?
>
> I suppose it does (?). The file usually supplied with BIND is available here:
>
> http://ftp.isc.org/isc/bind9/keys/9.8/
OK, so they're not hardwiring them either. Maybe the special-case
processing in dnsmasq that stops queries for DNSKEYS which are known
locally is not the right thing to do.
Cheers,
Simon.
>
> -Toke
next prev parent reply other threads:[~2014-02-09 20:59 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-02-04 16:20 Dave Taht
2014-02-05 7:13 ` Toke Høiland-Jørgensen
2014-02-05 17:10 ` Toke Høiland-Jørgensen
2014-02-05 19:51 ` Simon Kelley
2014-02-05 20:09 ` Toke Høiland-Jørgensen
2014-02-05 22:26 ` Simon Kelley
2014-02-06 7:28 ` Toke Høiland-Jørgensen
2014-02-06 10:53 ` Simon Kelley
2014-02-06 10:57 ` Toke Høiland-Jørgensen
2014-02-06 11:27 ` Simon Kelley
2014-02-06 12:35 ` Toke Høiland-Jørgensen
2014-02-06 15:01 ` Simon Kelley
2014-02-09 12:09 ` Toke Høiland-Jørgensen
2014-02-09 12:23 ` Simon Kelley
2014-02-09 12:48 ` Toke Høiland-Jørgensen
2014-02-09 18:04 ` Dave Taht
2014-02-09 18:47 ` Toke Høiland-Jørgensen
2014-02-09 21:02 ` Simon Kelley
2014-02-09 20:59 ` Simon Kelley [this message]
2014-02-09 21:07 ` Dave Taht
2014-02-09 21:16 ` Toke Høiland-Jørgensen
2014-02-09 21:33 ` Toke Høiland-Jørgensen
2014-02-10 10:50 ` Simon Kelley
2014-02-10 11:39 ` Simon Kelley
2014-02-10 12:59 ` Toke Høiland-Jørgensen
2014-02-10 16:45 ` Simon Kelley
2014-02-10 16:59 ` Toke Høiland-Jørgensen
2014-02-10 17:12 ` Simon Kelley
2014-02-10 17:14 ` Dave Taht
2014-02-10 21:47 ` Simon Kelley
2014-02-11 11:34 ` Simon Kelley
2014-02-11 14:01 ` Toke Høiland-Jørgensen
2014-02-11 15:51 ` Simon Kelley
2014-02-11 16:25 ` Toke Høiland-Jørgensen
2014-02-06 13:42 ` Toke Høiland-Jørgensen
2014-02-06 14:40 ` Simon Kelley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://lists.bufferbloat.net/postorius/lists/cerowrt-devel.lists.bufferbloat.net/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=52F7EC3C.4060505@thekelleys.org.uk \
--to=simon@thekelleys.org.uk \
--cc=cerowrt-devel@lists.bufferbloat.net \
--cc=toke@toke.dk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox