From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from eyas.biff.org.uk (eyas.biff.org.uk [IPv6:2001:41c8:1:519c::20]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (Client did not present a certificate) by huchra.bufferbloat.net (Postfix) with ESMTPS id 07D9D21F1C3 for ; Mon, 10 Feb 2014 02:50:45 -0800 (PST) Received: from cl-1441.lon-02.gb.sixxs.net ([2a01:348:6:5a0::2]:48302 helo=central.thekelleys.org.uk) by eyas.biff.org.uk with esmtpsa (TLS1.0:RSA_AES_256_CBC_SHA1:256) (Exim 4.80) (envelope-from ) id 1WCoRm-00065k-7K; Mon, 10 Feb 2014 10:50:42 +0000 Received: from spike.thekelleys.org.uk ([192.168.0.193]) by central.thekelleys.org.uk with esmtpa (Exim 4.72) (envelope-from ) id 1WCoRk-0000Tf-L3; Mon, 10 Feb 2014 10:50:40 +0000 Message-ID: <52F8AF00.90105@thekelleys.org.uk> Date: Mon, 10 Feb 2014 10:50:40 +0000 From: Simon Kelley User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.16) Gecko/20120726 Icedove/3.0.11 MIME-Version: 1.0 To: =?ISO-8859-1?Q?Toke_H=F8iland-J=F8rgensen?= References: <87a9e6xcae.fsf@alrua-x1.kau.toke.dk> <87ob2lmqny.fsf@toke.dk> <52F29645.6010001@thekelleys.org.uk> <874n4dwcdb.fsf@alrua-x1.kau.toke.dk> <52F2BA80.9010202@thekelleys.org.uk> <87iossvgw4.fsf@alrua-x1.kau.toke.dk> <52F369AA.5060809@thekelleys.org.uk> <8761osv78r.fsf@alrua-x1.kau.toke.dk> <52F371B3.5030406@thekelleys.org.uk> <87k3d8mna8.fsf@toke.dk> <52F3A3B2.8020201@thekelleys.org.uk> <87ppmw7ajj.fsf@toke.dk> <52F77349.40305@thekelleys.org.uk> <87lhxk78pa.fsf@toke.dk> <52F7EC3C.4060505@thekelleys.org.uk> <87bnyg55tp.fsf@toke.dk> In-Reply-To: <87bnyg55tp.fsf@toke.dk> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Cc: cerowrt-devel@lists.bufferbloat.net Subject: Re: [Cerowrt-devel] Fwd: [Dnsmasq-discuss] Testers wanted: DNSSEC. X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Feb 2014 10:50:45 -0000 On 09/02/14 21:33, Toke Høiland-Jørgensen wrote: > Simon Kelley writes: > >> It's possible, indeed that's happened during testing. Dave, could you >> talk me through getting the latest dnsmasq package on the 3800 you >> gave me? > > The packages I've built are here: > http://archive.tohojo.dk/cerowrt/wndr/3.10.28-4-tohojo/packages/ > > They're packaged as libhogweed, libnettle, libgmp and dnsmasq-dhcpv6 -- > dunno if they're installable without further ado on your box. But if so > you should be able to just download those four package files onto your > router (stick them in /tmp to avoid running out of flash) and calling > opkg to install them... > >> Note that here, the inception time for the signature of the DS is >> 20140208022128, UTC ie late yesterday. Are you sure your clock is >> correct, time and _date_? > > Double-checked the time, and yes, it is recent, including date. Reran > the queries, and dnsmasq still complains. > >> >> Please clould you post the result of running >> >> dig @213.80.98.2 +dnssec ds dk > > Seems to be the same: > > ;; ANSWER SECTION: > dk. 70561 IN DS 26887 8 2 A1AB8546B80E438A7DFE0EC559A7088EC5AED3C4E0D26B1B60ED3735 F853DFD7 > dk. 70561 IN RRSIG DS 8 1 86400 20140216000000 20140208230000 33655 . MAKi0fADKyqZ3aQilK7pgilLZvZz7sYKjZsw4FVff/9RNEECtZf9FpbI CD76X860kq6Ctf+zTKH5xvev44hYsER+0IVmN2YiMeMrFlGALIhZVOXN f+MN2cUtIolOb518/lQXBMdmlYyC1Lo7GPTICIJ2w82poTTPRai3q/S9 2Qc= > > Also, running it against the dnsmasq instance gives no output; dnsmasq > complains in the logs that validation failed. I.e: > $ dig @10.42.8.1 +dnssec ds dk > > ;<<>> DiG 9.9.2-P2<<>> @10.42.8.1 +dnssec ds dk > ; (1 server found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 53752 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 4096 > ;; QUESTION SECTION: > ;dk. IN DS > > ;; Query time: 51 msec > ;; SERVER: 10.42.8.1#53(10.42.8.1) > ;; WHEN: Sun Feb 9 22:30:52 2014 > ;; MSG SIZE rcvd: 31 > > OK. One more question is this a general failure with all TLDS failing, or is it limited to .dk? I'll fire up the 3800 and see what I can find....... > >> That's not dnsmasq, it's the resolver in 10.42.8.106, probably because >> /etc/resolv.conf has a search path configured and the wrong value for >> ndots. See man resolv.conf for details. > > Ah, right. Well it does try it without appending the domain first, so I > guess ndots is right (my man page says it defaults to 1). However, when > it fails (due to dnssec errors), it is retried with the domain appended; > which I thought was strange... > >> OK, so they're not hardwiring them either. Maybe the special-case >> processing in dnsmasq that stops queries for DNSKEYS which are known >> locally is not the right thing to do. > > Well if you want to support clients tracing the dnssec results I guess > not? :) I've just pushed a fix into git that should sort this one. Cheers, Simon. > > -Toke