From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mx.etorok.net (mx.etorok.net [62.113.205.31]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "mx.etorok.net", Issuer "StartCom Class 1 Primary Intermediate Server CA" (not verified)) by huchra.bufferbloat.net (Postfix) with ESMTPS id 8272321F287 for ; Fri, 25 Apr 2014 12:48:56 -0700 (PDT) Received: by mx.etorok.net (OpenSMTPD) with ESMTP id b3db2341; for ; Fri, 25 Apr 2014 22:48:54 +0300 (EEST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=etorok.net; h= message-id:date:from:mime-version:to:references:in-reply-to :content-type:content-transfer-encoding; s=ml; l=8433; bh=ZWMkou eTJ7r9d96TGhe8kr5h2kI=; b=LOldMI1S6WvsrKryWlT8IOm2jZkQQSR9fqc5eo I7D8HJfcCn4OK9qme8WFPSbn3M+1qPpT3cO029R4F2TSsA6m62O7vRERcVgWMt6A 1q01o6xkA5DA6MkSbwxVREtaZBitL9A7hCi8pxLEno8eM1EFdM8LRU3w9Vn0Q90u 6mkLk= Received: by mx.etorok.net (OpenSMTPD) with ESMTPSA id 4baa0d7c; TLS version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES128-SHA bits=128 verify=NO; for ; Fri, 25 Apr 2014 22:48:54 +0300 (EEST) Message-ID: <535ABC25.5040608@etorok.net> Date: Fri, 25 Apr 2014 22:48:53 +0300 From: =?ISO-8859-1?Q?T=F6r=F6k_Edwin?= User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Icedove/24.4.0 MIME-Version: 1.0 To: cerowrt-devel@lists.bufferbloat.net References: <535AAE37.103@thekelleys.org.uk> <535ABAF6.1010509@etorok.net> In-Reply-To: <535ABAF6.1010509@etorok.net> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Subject: Re: [Cerowrt-devel] [Dnsmasq-discuss] test-ipv6.com vs dnssec X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Apr 2014 19:48:57 -0000 On 04/25/2014 10:43 PM, Török Edwin wrote: > On 04/25/2014 09:49 PM, Simon Kelley wrote: >> On 25/04/14 19:01, Jim Gettys wrote: >>> More specifically, after boot, most of the time test-ipv6.com reports lots >>> of problems. >>> >>> Then I turned off both dnssec and dnssec-check-unsigned, and restarted >>> dnsmasq; clean bill of health from test-ipv6.com. >>> >>> Then I turned on dnssec only, leaving dnssec-check-unsigned, and got a >>> clean bill of health. >>> >>> Then I turned on both at the same time, and things are working. >>> >>> So we seem to have a boot time race of some sort. >>> - Jim >>> >>> >> >> >> test-ipv6.com is unsigned, so the important thing which is likely >> failing is the query for the DS record of test-ipv6.com, which should >> return NSEC records providing it doesn't exist, signed by .com Also retrieving those signatures seems to work (from the LAN): $ dig +dnssec -t DS test-ipv6.com ; <<>> DiG 9.9.5-3-Debian <<>> +dnssec -t DS test-ipv6.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47250 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;test-ipv6.com. IN DS ;; AUTHORITY SECTION: com. 874 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1398455240 1800 900 604800 86400 com. 874 IN RRSIG SOA 8 1 900 20140502194720 20140425183720 56657 com. Em3k/33z2feLqtirerPNVE4HwF+ZstYVtR+J7rowCn/++FnDtRv7OBZp rbtNBI90BQj23QjzEkrwaBmVfcFOQSNhdAIHFxPSqOPCWbxdwQxf18yi 3ifhorL9mUX7ir2AqLb57LX+sPaFYOlAPQSIie4+nELiXZfH4mQ2cEXr eLY= CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 874 IN RRSIG NSEC3 8 2 86400 20140501044827 20140424033827 56657 com. JUeicIqLHJIYo10Z0M2LbKefhiW3g2T45jv0l0wxZC/8fdKLCBqIpk2k cjy1CSs1pzpR58BZM3E7QfVMZO61ncCOnK1Zarry6Z0ZYMm54sL625dl MMfYMhMpLVuzbBaK8TJmX3jvQWR8bxkoEXYUy3bP7+x88lHPK6wYkJlB VSA= CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 874 IN NSEC3 1 1 0 - CK0QFMDQRCSRU0651QLVA1JQB21IF7UR NS SOA RRSIG DNSKEY NSEC3PARAM ERPPHPFQOHA3Q5F237FVRROKA4N73V2M.com. 874 IN RRSIG NSEC3 8 2 86400 20140501112409 20140424101409 56657 com. Zbz49pAXUE4iYhGmN3ywbWpWECc4fdBkT2HBwApFLr4UGDG67YbjtxhI D4ihlqTCKZES4/zFp4DqdA45/ha6m6nKUfo4/hE2y/ljhGbx08GqY3Ba cBWvBrfnmS1EGU8Yh1VG8tQ5CYK8qO6isUIzyGaV4Wpn4SQmTEAmaqfn FHk= ERPPHPFQOHA3Q5F237FVRROKA4N73V2M.com. 874 IN NSEC3 1 1 0 - ERPT5A7MVN31GIUL5DMRAU0K8N2IGLTI NS DS RRSIG ;; Query time: 29 msec ;; SERVER: 172.30.42.1#53(172.30.42.1) ;; WHEN: Fri Apr 25 22:48:01 EEST 2014 ;; MSG SIZE rcvd: 763 > > According to http://dnssec-debugger.verisignlabs.com/test-ipv6.com > test-ipv6.com > No DS records found for test-ipv6.com in the com zone > Query to ns1.test-ipv6.com/216.218.228.118 for test-ipv6.com/DNSKEY timed out or failed > Query to ns2.test-ipv6.com/209.128.193.197 for test-ipv6.com/DNSKEY timed out or failed > Failed to get DNSKEY RR set for zone test-ipv6.com > No response from test-ipv6.com nameservers > > Compare this to a domain that works with check-unsigned on: > openwrt.org > No DS records found for openwrt.org in the org zone > No DNSKEY records found > openwrt.org A RR has value 78.24.191.177 > No RRSIGs found > > Is the timeout/failed DNSKEY reply for test-ipv6.com the problem? > > with dnssec-check-unsigned turned on (and no IPv6, just IPv4) I get this: > dnsmasq: query[A] ipv4.test-ipv6.com from 172.30.42.12 > dnsmasq: forwarded ipv4.test-ipv6.com to 193.231.252.1 > dnsmasq: forwarded ipv4.test-ipv6.com to 213.154.124.1 > dnsmasq: dnssec-query[DS] ipv4.test-ipv6.com to 193.231.252.1 > dnsmasq: query[AAAA] ipv4.test-ipv6.com from 172.30.42.12 > dnsmasq: forwarded ipv4.test-ipv6.com to 193.231.252.1 > dnsmasq: dnssec-query[DS] ipv4.test-ipv6.com to 193.231.252.1 > dnsmasq: query[A] test-ipv6.com from 172.30.42.12 > dnsmasq: forwarded test-ipv6.com to 213.154.124.1 > dnsmasq: dnssec-query[DS] test-ipv6.com to 213.154.124.1 > dnsmasq: dnssec-query[DNSKEY] com to 213.154.124.1 > dnsmasq: dnssec-query[DS] com to 213.154.124.1 > dnsmasq: dnssec-query[DNSKEY] . to 213.154.124.1 > dnsmasq: reply . is DNSKEY keytag 40926 > dnsmasq: reply . is DNSKEY keytag 19036 > dnsmasq: reply com is DS keytag 30909 > dnsmasq: reply com is DNSKEY keytag 30909 > dnsmasq: reply com is DNSKEY keytag 56657 > dnsmasq: validation result is INSECURE > dnsmasq: reply test-ipv6.com is 216.218.228.119 > dnsmasq: query[A] ipv4.test-ipv6.com.home.lan from 172.30.42.12 > dnsmasq: config ipv4.test-ipv6.com.home.lan is NXDOMAIN > dnsmasq: query[AAAA] ipv4.test-ipv6.com.home.lan from 172.30.42.12 > dnsmasq: config ipv4.test-ipv6.com.home.lan is NXDOMAIN > dnsmasq: query[A] ipv4.test-ipv6.com from 172.30.42.12 > dnsmasq: forwarded ipv4.test-ipv6.com to 213.154.124.1 > dnsmasq: dnssec-query[DS] ipv4.test-ipv6.com to 213.154.124.1 > dnsmasq: query[AAAA] ipv4.test-ipv6.com from 172.30.42.12 > dnsmasq: forwarded ipv4.test-ipv6.com to 213.154.124.1 > dnsmasq: query[A] ipv6.test-ipv6.com from 172.30.42.12 > dnsmasq: forwarded ipv6.test-ipv6.com to 213.154.124.1 > dnsmasq: dnssec-query[DS] ipv6.test-ipv6.com to 213.154.124.1 > dnsmasq: query[AAAA] ipv6.test-ipv6.com from 172.30.42.12 > dnsmasq: forwarded ipv6.test-ipv6.com to 213.154.124.1 > dnsmasq: dnssec-query[DS] ipv6.test-ipv6.com to 213.154.124.1 > dnsmasq: dnssec-query[DS] ipv4.test-ipv6.com to 213.154.124.1 > dnsmasq: query[A] ipv4.test-ipv6.com from 172.30.42.12 > dnsmasq: dnssec retry to 213.154.124.1 > dnsmasq: reply ipv4.test-ipv6.com is BOGUS DS > dnsmasq: validation result is BOGUS > dnsmasq: reply ipv4.test-ipv6.com is 216.218.228.119 > dnsmasq: forwarded ipv4.test-ipv6.com to 213.154.124.1 > dnsmasq: forwarded ipv4.test-ipv6.com to 193.231.252.1 > dnsmasq: query[AAAA] ipv4.test-ipv6.com from 172.30.42.12 > dnsmasq: dnssec retry to 213.154.124.1 > dnsmasq: query[A] ipv6.test-ipv6.com from 172.30.42.12 > dnsmasq: dnssec retry to 213.154.124.1 > dnsmasq: query[AAAA] ipv6.test-ipv6.com from 172.30.42.12 > dnsmasq: dnssec retry to 213.154.124.1 > dnsmasq: query[A] ipv4.test-ipv6.com.home.lan from 172.30.42.12 > dnsmasq: config ipv4.test-ipv6.com.home.lan is NXDOMAIN > dnsmasq: query[AAAA] ipv4.test-ipv6.com.home.lan from 172.30.42.12 > dnsmasq: config ipv4.test-ipv6.com.home.lan is NXDOMAIN > dnsmasq: forwarded ipv4.test-ipv6.com to 193.231.252.1 > dnsmasq: forwarded ipv4.test-ipv6.com to 213.154.124.1 > dnsmasq: forwarded ipv4.test-ipv6.com to 193.231.252.1 > dnsmasq: forwarded ipv4.test-ipv6.com to 213.154.124.1 > dnsmasq: query[A] ipv6.test-ipv6.com.home.lan from 172.30.42.12 > dnsmasq: config ipv6.test-ipv6.com.home.lan is NXDOMAIN > dnsmasq: forwarded ipv6.test-ipv6.com to 193.231.252.1 > dnsmasq: forwarded ipv6.test-ipv6.com to 213.154.124.1 > dnsmasq: forwarded ipv6.test-ipv6.com to 193.231.252.1 > dnsmasq: forwarded ipv6.test-ipv6.com to 213.154.124.1 > dnsmasq: query[AAAA] ipv6.test-ipv6.com.home.lan from 172.30.42.12 > dnsmasq: config ipv6.test-ipv6.com.home.lan is NXDOMAIN > dnsmasq: query[A] ipv4.test-ipv6.com from 172.30.42.12 > dnsmasq: forwarded ipv4.test-ipv6.com to 193.231.252.1 > dnsmasq: forwarded ipv4.test-ipv6.com to 213.154.124.1 > dnsmasq: dnssec-query[DS] ipv4.test-ipv6.com to 193.231.252.1 > dnsmasq: query[AAAA] ipv4.test-ipv6.com from 172.30.42.12 > dnsmasq: forwarded ipv4.test-ipv6.com to 193.231.252.1 > dnsmasq: dnssec-query[DS] ipv4.test-ipv6.com to 193.231.252.1 > dnsmasq: query[A] ipv6.test-ipv6.com from 172.30.42.12 > dnsmasq: forwarded ipv6.test-ipv6.com to 193.231.252.1 > dnsmasq: dnssec-query[DS] ipv6.test-ipv6.com to 193.231.252.1 > dnsmasq: query[AAAA] ipv6.test-ipv6.com from 172.30.42.12 > dnsmasq: forwarded ipv6.test-ipv6.com to 193.231.252.1 > dnsmasq: dnssec-query[DS] ipv6.test-ipv6.com to 193.231.252.1 > dnsmasq: query[A] ipv4.test-ipv6.com from 172.30.42.12 > dnsmasq: dnssec retry to 193.231.252.1 > dnsmasq: reply ipv4.test-ipv6.com is BOGUS DS > dnsmasq: validation result is BOGUS > dnsmasq: reply ipv4.test-ipv6.com is 216.218.228.119 > dnsmasq: reply ipv4.test-ipv6.com is BOGUS DS > dnsmasq: validation result is BOGUS > dnsmasq: reply ipv4.test-ipv6.com is NODATA-IPv6 > _______________________________________________ > Cerowrt-devel mailing list > Cerowrt-devel@lists.bufferbloat.net > https://lists.bufferbloat.net/listinfo/cerowrt-devel >