Re: [Cerowrt-devel] Fwd: [Dnsmasq-discuss] Testers wanted: DNSSEC.

Development issues regarding the cerowrt test router project
 help / color / mirror / Atom feed

From: "Toke Høiland-Jørgensen" <toke@toke.dk>
To: Simon Kelley <simon@thekelleys.org.uk>
Cc: cerowrt-devel@lists.bufferbloat.net
Subject: Re: [Cerowrt-devel] Fwd: [Dnsmasq-discuss] Testers wanted: DNSSEC.
Date: Sun, 09 Feb 2014 13:48:49 +0100	[thread overview]
Message-ID: <87lhxk78pa.fsf@toke.dk> (raw)
In-Reply-To: <52F77349.40305@thekelleys.org.uk> (Simon Kelley's message of "Sun, 09 Feb 2014 12:23:37 +0000")

[-- Attachment #1: Type: text/plain, Size: 4012 bytes --]

Simon Kelley <simon@thekelleys.org.uk> writes:

> Hmm, that domain validates for me here. It probably makes sense to
> turn dnssec-debug _off_. One of the things it does is to set the
> Checking Disabled bit in queries upstream. I'm advised that this is
> not a good thing to do, since it means the upstream nameserver can
> return teh first data it finds, even if it doesn't resolve, whilst
> without CD, the it will keep trying other authoritative servers to get
> valid data. I don't understand the details, but that would seem
> applicable here.

Well, turning off dnssec-debug just means I have no name resolution for
such domains:

$ dig +dnssec +sigchase mail2.tohojo.dk @10.42.8.1                                                                                                         :(
;; NO ANSWERS: no more
We want to prove the non-existence of a type of rdata 1 or of the zone: 
;; nothing in authority section : impossible to validate the non-existence : FAILED

;; Impossible to verify the Non-existence, the NSEC RRset can't be validated: FAILED

$ host mail2.tohojo.dk 10.42.8.1
Using domain server:
Name: 10.42.8.1
Address: 10.42.8.1#53
Aliases: 

Host mail2.tohojo.dk not found: 3(NXDOMAIN)


And the dnsmasq logs:

Sun Feb  9 13:45:22 2014 daemon.info dnsmasq[6698]: query[A] mail2.tohojo.dk from 10.42.8.106
Sun Feb  9 13:45:22 2014 daemon.info dnsmasq[6698]: forwarded mail2.tohojo.dk to 213.80.98.3
Sun Feb  9 13:45:22 2014 daemon.info dnsmasq[6698]: forwarded mail2.tohojo.dk to 213.80.98.2
Sun Feb  9 13:45:22 2014 daemon.info dnsmasq[6698]: dnssec-query[DNSKEY] tohojo.dk to 213.80.98.2
Sun Feb  9 13:45:22 2014 daemon.info dnsmasq[6698]: dnssec-query[DS] tohojo.dk to 213.80.98.2
Sun Feb  9 13:45:22 2014 daemon.info dnsmasq[6698]: dnssec-query[DNSKEY] dk to 213.80.98.2
Sun Feb  9 13:45:22 2014 daemon.info dnsmasq[6698]: dnssec-query[DS] dk to 213.80.98.2
Sun Feb  9 13:45:22 2014 daemon.info dnsmasq[6698]: reply dk is BOGUS DS
Sun Feb  9 13:45:22 2014 daemon.info dnsmasq[6698]: validation result is BOGUS
Sun Feb  9 13:45:22 2014 daemon.info dnsmasq[6698]: reply mail2.tohojo.dk is 144.76.141.112
Sun Feb  9 13:45:32 2014 daemon.info dnsmasq[6698]: query[A] mail2.tohojo.dk from 10.42.8.106
Sun Feb  9 13:45:32 2014 daemon.info dnsmasq[6698]: forwarded mail2.tohojo.dk to 213.80.98.2
Sun Feb  9 13:45:32 2014 daemon.info dnsmasq[6698]: dnssec-query[DNSKEY] tohojo.dk to 213.80.98.2
Sun Feb  9 13:45:32 2014 daemon.info dnsmasq[6698]: dnssec-query[DS] tohojo.dk to 213.80.98.2
Sun Feb  9 13:45:32 2014 daemon.info dnsmasq[6698]: dnssec-query[DNSKEY] dk to 213.80.98.2
Sun Feb  9 13:45:32 2014 daemon.info dnsmasq[6698]: dnssec-query[DS] dk to 213.80.98.2
Sun Feb  9 13:45:32 2014 daemon.info dnsmasq[6698]: reply dk is BOGUS DS
Sun Feb  9 13:45:32 2014 daemon.info dnsmasq[6698]: validation result is BOGUS
Sun Feb  9 13:45:32 2014 daemon.info dnsmasq[6698]: reply mail2.tohojo.dk is 144.76.141.112

It works on my other machine that's not running on cerowrt; so perhaps
it's something architecture-specific?



Interestingly, after failing a DNSSEC resolution, dnsmasq then tries to
append the configured domain:

Sun Feb  9 13:45:32 2014 daemon.info dnsmasq[6698]: query[A] mail2.tohojo.dk.karlstad.toke.dk from 10.42.8.106
Sun Feb  9 13:45:32 2014 daemon.info dnsmasq[6698]: config mail2.tohojo.dk.karlstad.toke.dk is NXDOMAIN

This is probably not desirable?

> OK, you've got to the trust-anchor root keys which are hardwired in as
> part of the dnsmasq configuration. As such, Dnsmasq assumes they are
> valid and doesn't need RRSIGs to check their self-signing. As the
> signatures aren't known, they are not supplied with a query for DNSKEY
> of the root zone. That may be wrong. When providing trust anchors to
> eg BIND) is it possible/normal to provide the SIGS too?

I suppose it does (?). The file usually supplied with BIND is available here:

http://ftp.isc.org/isc/bind9/keys/9.8/

-Toke

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 489 bytes --]

next prev parent reply	other threads:[~2014-02-09 12:49 UTC|newest]

Thread overview: 36+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-02-04 16:20 Dave Taht
2014-02-05  7:13 ` Toke Høiland-Jørgensen
2014-02-05 17:10   ` Toke Høiland-Jørgensen
2014-02-05 19:51     ` Simon Kelley
2014-02-05 20:09       ` Toke Høiland-Jørgensen
2014-02-05 22:26         ` Simon Kelley
2014-02-06  7:28           ` Toke Høiland-Jørgensen
2014-02-06 10:53             ` Simon Kelley
2014-02-06 10:57               ` Toke Høiland-Jørgensen
2014-02-06 11:27                 ` Simon Kelley
2014-02-06 12:35                   ` Toke Høiland-Jørgensen
2014-02-06 15:01                     ` Simon Kelley
2014-02-09 12:09                       ` Toke Høiland-Jørgensen
2014-02-09 12:23                         ` Simon Kelley
2014-02-09 12:48                           ` Toke Høiland-Jørgensen [this message]
2014-02-09 18:04                             ` Dave Taht
2014-02-09 18:47                               ` Toke Høiland-Jørgensen
2014-02-09 21:02                               ` Simon Kelley
2014-02-09 20:59                             ` Simon Kelley
2014-02-09 21:07                               ` Dave Taht
2014-02-09 21:16                                 ` Toke Høiland-Jørgensen
2014-02-09 21:33                               ` Toke Høiland-Jørgensen
2014-02-10 10:50                                 ` Simon Kelley
2014-02-10 11:39                                 ` Simon Kelley
2014-02-10 12:59                                   ` Toke Høiland-Jørgensen
2014-02-10 16:45                                     ` Simon Kelley
2014-02-10 16:59                                       ` Toke Høiland-Jørgensen
2014-02-10 17:12                                         ` Simon Kelley
2014-02-10 17:14                                         ` Dave Taht
2014-02-10 21:47                                           ` Simon Kelley
2014-02-11 11:34                                         ` Simon Kelley
2014-02-11 14:01                                           ` Toke Høiland-Jørgensen
2014-02-11 15:51                                             ` Simon Kelley
2014-02-11 16:25                                               ` Toke Høiland-Jørgensen
2014-02-06 13:42                   ` Toke Høiland-Jørgensen
2014-02-06 14:40                     ` Simon Kelley

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://lists.bufferbloat.net/postorius/lists/cerowrt-devel.lists.bufferbloat.net/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87lhxk78pa.fsf@toke.dk \
    --to=toke@toke.dk \
    --cc=cerowrt-devel@lists.bufferbloat.net \
    --cc=simon@thekelleys.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox