From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail2.tohojo.dk (mail2.tohojo.dk [IPv6:2a01:4f8:200:3141::101]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by huchra.bufferbloat.net (Postfix) with ESMTPS id 4D3DA21F1D2 for ; Sun, 9 Feb 2014 13:34:13 -0800 (PST) X-Virus-Scanned: amavisd-new at example.com Received: by alrua-x1.borgediget.toke.dk (Postfix, from userid 1000) id 32DAC16DA7; Sun, 9 Feb 2014 22:33:56 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=toke.dk; s=201310; t=1391981638; bh=sp1KsYJveWQ7JB7nuNkqGHM9G3JRiGgfvGFeJg5+XsQ=; h=From:To:Cc:Subject:References:Date:In-Reply-To; b=v3Xww9irseCXBs+oQ+fu2BO8xfqxeD94XeMFi0mSvPRV419JgZuFrHwxKv5BuUyC1 uZxQLBET5nbfVIVSlsCw5pEhfcxfqPWSw/W+cmDIyRAc24UNz+mSUdcBF8CDc/leof /M42aHyLl9gKPBUfAO8jQwwzN1LAPkjnMvyqgRcc= From: =?utf-8?Q?Toke_H=C3=B8iland-J=C3=B8rgensen?= To: Simon Kelley References: <87a9e6xcae.fsf@alrua-x1.kau.toke.dk> <87ob2lmqny.fsf@toke.dk> <52F29645.6010001@thekelleys.org.uk> <874n4dwcdb.fsf@alrua-x1.kau.toke.dk> <52F2BA80.9010202@thekelleys.org.uk> <87iossvgw4.fsf@alrua-x1.kau.toke.dk> <52F369AA.5060809@thekelleys.org.uk> <8761osv78r.fsf@alrua-x1.kau.toke.dk> <52F371B3.5030406@thekelleys.org.uk> <87k3d8mna8.fsf@toke.dk> <52F3A3B2.8020201@thekelleys.org.uk> <87ppmw7ajj.fsf@toke.dk> <52F77349.40305@thekelleys.org.uk> <87lhxk78pa.fsf@toke.dk> <52F7EC3C.4060505@thekelleys.org.uk> Date: Sun, 09 Feb 2014 22:33:54 +0100 In-Reply-To: <52F7EC3C.4060505@thekelleys.org.uk> (Simon Kelley's message of "Sun, 09 Feb 2014 20:59:40 +0000") Message-ID: <87bnyg55tp.fsf@toke.dk> Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Cc: cerowrt-devel@lists.bufferbloat.net Subject: Re: [Cerowrt-devel] Fwd: [Dnsmasq-discuss] Testers wanted: DNSSEC. X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 09 Feb 2014 21:34:13 -0000 --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Simon Kelley writes: > It's possible, indeed that's happened during testing. Dave, could you > talk me through getting the latest dnsmasq package on the 3800 you > gave me? The packages I've built are here: http://archive.tohojo.dk/cerowrt/wndr/3.10.28-4-tohojo/packages/ They're packaged as libhogweed, libnettle, libgmp and dnsmasq-dhcpv6 -- dunno if they're installable without further ado on your box. But if so you should be able to just download those four package files onto your router (stick them in /tmp to avoid running out of flash) and calling opkg to install them... > Note that here, the inception time for the signature of the DS is > 20140208022128, UTC ie late yesterday. Are you sure your clock is > correct, time and _date_? Double-checked the time, and yes, it is recent, including date. Reran the queries, and dnsmasq still complains. > > Please clould you post the result of running > > dig @213.80.98.2 +dnssec ds dk Seems to be the same: ;; ANSWER SECTION: dk. 70561 IN DS 26887 8 2 A1AB8546B80E438A7DFE0EC559A7088EC5AED3C4E0D26B1= B60ED3735 F853DFD7 dk. 70561 IN RRSIG DS 8 1 86400 20140216000000 20140208230000 33655 . MAK= i0fADKyqZ3aQilK7pgilLZvZz7sYKjZsw4FVff/9RNEECtZf9FpbI CD76X860kq6Ctf+zTKH5x= vev44hYsER+0IVmN2YiMeMrFlGALIhZVOXN f+MN2cUtIolOb518/lQXBMdmlYyC1Lo7GPTICIJ= 2w82poTTPRai3q/S9 2Qc=3D Also, running it against the dnsmasq instance gives no output; dnsmasq complains in the logs that validation failed. I.e: $ dig @10.42.8.1 +dnssec ds dk=20=20 ; <<>> DiG 9.9.2-P2 <<>> @10.42.8.1 +dnssec ds dk ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 53752 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;dk. IN DS ;; Query time: 51 msec ;; SERVER: 10.42.8.1#53(10.42.8.1) ;; WHEN: Sun Feb 9 22:30:52 2014 ;; MSG SIZE rcvd: 31 > That's not dnsmasq, it's the resolver in 10.42.8.106, probably because > /etc/resolv.conf has a search path configured and the wrong value for > ndots. See man resolv.conf for details. Ah, right. Well it does try it without appending the domain first, so I guess ndots is right (my man page says it defaults to 1). However, when it fails (due to dnssec errors), it is retried with the domain appended; which I thought was strange... > OK, so they're not hardwiring them either. Maybe the special-case > processing in dnsmasq that stops queries for DNSKEYS which are known > locally is not the right thing to do. Well if you want to support clients tracing the dnssec results I guess not? :) =2DToke --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQEcBAEBCAAGBQJS9/RCAAoJEENeEGz1+utPhC8H/2yYaOZVbfPdTf88oNRtCxGW k0UHR5TGgLmJQIdt2Zxj0lotFaPOeuoJ8DXVYx/6OF3/8u+t6MQCJ0p6Heft3byQ /eff2jPFWv9w6ouOQih5Esk5fFQvQaQndDbU7WLQ7ZMcbceNIBEA1DExMvG4BWUg 5BwAq1y0pEFIE6iFQF7yResaqrEvg9iTwM66Cld/cUDOBlv6E0zKrNwK9pTmsuUG 8DZeCij+ZKlUO+t29CHqnaYRmY6tdWeoIcFR1QZKbudZ/NsVaHnxSGrhDpL1OIux 1lzKj/PVgEmbTsapv2QIGdOlaxSW4DWXrIZBXRpz2l+41eJ2cckHpbSgff3nNsA= =fDVP -----END PGP SIGNATURE----- --=-=-=--