From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail2.tohojo.dk (mail2.tohojo.dk [IPv6:2a01:4f8:200:3141::101]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by huchra.bufferbloat.net (Postfix) with ESMTPS id 5DE7F21F1C3 for ; Sun, 9 Feb 2014 04:49:02 -0800 (PST) X-Virus-Scanned: amavisd-new at example.com Received: by alrua-x1.borgediget.toke.dk (Postfix, from userid 1000) id 363ED16A49; Sun, 9 Feb 2014 13:48:52 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=toke.dk; s=201310; t=1391950132; bh=M0cOx9HxuMxP6MNR920+/22vVQYYYjo/iptiVf+VvJg=; h=From:To:Cc:Subject:References:Date:In-Reply-To; b=o51SqZzn/G/l1OxEoZ3N83KI0b0hXvQBJfbzY4VlvtVswMqbMtG1AiZtKcEbgWNNT nrKN41cINx+uXo/PcRQzwlgI6t7OgHQhv+3trlQmgG1ZS9sqPoe06Xkmytt5Uzz0Kq Q3XL3ZuGeieHXrBuSs3tzUIaPy9jKiEONqBURvmY= From: =?utf-8?Q?Toke_H=C3=B8iland-J=C3=B8rgensen?= To: Simon Kelley References: <87a9e6xcae.fsf@alrua-x1.kau.toke.dk> <87ob2lmqny.fsf@toke.dk> <52F29645.6010001@thekelleys.org.uk> <874n4dwcdb.fsf@alrua-x1.kau.toke.dk> <52F2BA80.9010202@thekelleys.org.uk> <87iossvgw4.fsf@alrua-x1.kau.toke.dk> <52F369AA.5060809@thekelleys.org.uk> <8761osv78r.fsf@alrua-x1.kau.toke.dk> <52F371B3.5030406@thekelleys.org.uk> <87k3d8mna8.fsf@toke.dk> <52F3A3B2.8020201@thekelleys.org.uk> <87ppmw7ajj.fsf@toke.dk> <52F77349.40305@thekelleys.org.uk> Date: Sun, 09 Feb 2014 13:48:49 +0100 In-Reply-To: <52F77349.40305@thekelleys.org.uk> (Simon Kelley's message of "Sun, 09 Feb 2014 12:23:37 +0000") Message-ID: <87lhxk78pa.fsf@toke.dk> Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Cc: cerowrt-devel@lists.bufferbloat.net Subject: Re: [Cerowrt-devel] Fwd: [Dnsmasq-discuss] Testers wanted: DNSSEC. X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 09 Feb 2014 12:49:02 -0000 --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Simon Kelley writes: > Hmm, that domain validates for me here. It probably makes sense to > turn dnssec-debug _off_. One of the things it does is to set the > Checking Disabled bit in queries upstream. I'm advised that this is > not a good thing to do, since it means the upstream nameserver can > return teh first data it finds, even if it doesn't resolve, whilst > without CD, the it will keep trying other authoritative servers to get > valid data. I don't understand the details, but that would seem > applicable here. Well, turning off dnssec-debug just means I have no name resolution for such domains: $ dig +dnssec +sigchase mail2.tohojo.dk @10.42.8.1 = = :( ;; NO ANSWERS: no more We want to prove the non-existence of a type of rdata 1 or of the zone:=20 ;; nothing in authority section : impossible to validate the non-existence = : FAILED ;; Impossible to verify the Non-existence, the NSEC RRset can't be validate= d: FAILED $ host mail2.tohojo.dk 10.42.8.1 Using domain server: Name: 10.42.8.1 Address: 10.42.8.1#53 Aliases:=20 Host mail2.tohojo.dk not found: 3(NXDOMAIN) And the dnsmasq logs: Sun Feb 9 13:45:22 2014 daemon.info dnsmasq[6698]: query[A] mail2.tohojo.d= k from 10.42.8.106 Sun Feb 9 13:45:22 2014 daemon.info dnsmasq[6698]: forwarded mail2.tohojo.= dk to 213.80.98.3 Sun Feb 9 13:45:22 2014 daemon.info dnsmasq[6698]: forwarded mail2.tohojo.= dk to 213.80.98.2 Sun Feb 9 13:45:22 2014 daemon.info dnsmasq[6698]: dnssec-query[DNSKEY] to= hojo.dk to 213.80.98.2 Sun Feb 9 13:45:22 2014 daemon.info dnsmasq[6698]: dnssec-query[DS] tohojo= .dk to 213.80.98.2 Sun Feb 9 13:45:22 2014 daemon.info dnsmasq[6698]: dnssec-query[DNSKEY] dk= to 213.80.98.2 Sun Feb 9 13:45:22 2014 daemon.info dnsmasq[6698]: dnssec-query[DS] dk to = 213.80.98.2 Sun Feb 9 13:45:22 2014 daemon.info dnsmasq[6698]: reply dk is BOGUS DS Sun Feb 9 13:45:22 2014 daemon.info dnsmasq[6698]: validation result is BO= GUS Sun Feb 9 13:45:22 2014 daemon.info dnsmasq[6698]: reply mail2.tohojo.dk i= s 144.76.141.112 Sun Feb 9 13:45:32 2014 daemon.info dnsmasq[6698]: query[A] mail2.tohojo.d= k from 10.42.8.106 Sun Feb 9 13:45:32 2014 daemon.info dnsmasq[6698]: forwarded mail2.tohojo.= dk to 213.80.98.2 Sun Feb 9 13:45:32 2014 daemon.info dnsmasq[6698]: dnssec-query[DNSKEY] to= hojo.dk to 213.80.98.2 Sun Feb 9 13:45:32 2014 daemon.info dnsmasq[6698]: dnssec-query[DS] tohojo= .dk to 213.80.98.2 Sun Feb 9 13:45:32 2014 daemon.info dnsmasq[6698]: dnssec-query[DNSKEY] dk= to 213.80.98.2 Sun Feb 9 13:45:32 2014 daemon.info dnsmasq[6698]: dnssec-query[DS] dk to = 213.80.98.2 Sun Feb 9 13:45:32 2014 daemon.info dnsmasq[6698]: reply dk is BOGUS DS Sun Feb 9 13:45:32 2014 daemon.info dnsmasq[6698]: validation result is BO= GUS Sun Feb 9 13:45:32 2014 daemon.info dnsmasq[6698]: reply mail2.tohojo.dk i= s 144.76.141.112 It works on my other machine that's not running on cerowrt; so perhaps it's something architecture-specific? Interestingly, after failing a DNSSEC resolution, dnsmasq then tries to append the configured domain: Sun Feb 9 13:45:32 2014 daemon.info dnsmasq[6698]: query[A] mail2.tohojo.d= k.karlstad.toke.dk from 10.42.8.106 Sun Feb 9 13:45:32 2014 daemon.info dnsmasq[6698]: config mail2.tohojo.dk.= karlstad.toke.dk is NXDOMAIN This is probably not desirable? > OK, you've got to the trust-anchor root keys which are hardwired in as > part of the dnsmasq configuration. As such, Dnsmasq assumes they are > valid and doesn't need RRSIGs to check their self-signing. As the > signatures aren't known, they are not supplied with a query for DNSKEY > of the root zone. That may be wrong. When providing trust anchors to > eg BIND) is it possible/normal to provide the SIGS too? I suppose it does (?). The file usually supplied with BIND is available her= e: http://ftp.isc.org/isc/bind9/keys/9.8/ =2DToke --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQEcBAEBCAAGBQJS93kxAAoJEENeEGz1+utPz9IH/1SPfvR/VQCVqc2ye1ct6BQt TtF9m6QSfQBU/ROmDVcmbzeOg6xlOn9Th17nw5MZChvHTJDaA/qAnp3KX+8qvRD0 doBLlkqCjJhv//oKfwlfGkNnS52Mf5onHgV3jadTD7Ye9VebFTJE8cVIrLdp42mZ I/GuBXQJpnjBXvvJh2+Ev83NTOJES7uf7rn4GdU9F76XRu+l7fHkRh/cURwybvRx FyaO9r75vl3+IC1kXXBIqUuXkeLV/MDviMwmjlfm5QRKz+FcsXQaZ/wPJ78fMb7K SUIICZA4y0a8xf1eNC5BAl+uS7Iz3ryyyCDV/N+WtVCprx6K7WRb6THkMbLePPI= =JWmn -----END PGP SIGNATURE----- --=-=-=--