From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail2.tohojo.dk (mail2.tohojo.dk [IPv6:2a01:4f8:200:3141::101]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by huchra.bufferbloat.net (Postfix) with ESMTPS id E974521F1BA for ; Tue, 11 Feb 2014 06:01:21 -0800 (PST) X-Virus-Scanned: amavisd-new at example.com Received: by alrua-kau.localdomain (Postfix, from userid 1000) id 6320653BF6; Tue, 11 Feb 2014 15:01:11 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=toke.dk; s=201310; t=1392127272; bh=01gJWyrerGGOV1i1JKfc7yZvkrab7pv0YXY4zfn7Z2w=; h=From:To:Cc:Subject:References:Date:In-Reply-To; b=Q+A2hwJ7uo+xQeTU5MRiHIxUhvYhS9qAsvIQL9ul/G5Wp/i6q0nQmGkE3y/pbCFvS gXHn+8dDtKkzCyd+z1v1wnBV0mX7ZXKvzQgwwXffcDSb914xM0PO0f5jjx33cEHi0k j/eIIf6OPG/gfLUxuLeqejY4wXMn5YN1Zmcj9x60= From: =?utf-8?Q?Toke_H=C3=B8iland-J=C3=B8rgensen?= To: Simon Kelley References: <87ob2lmqny.fsf@toke.dk> <52F29645.6010001@thekelleys.org.uk> <874n4dwcdb.fsf@alrua-x1.kau.toke.dk> <52F2BA80.9010202@thekelleys.org.uk> <87iossvgw4.fsf@alrua-x1.kau.toke.dk> <52F369AA.5060809@thekelleys.org.uk> <8761osv78r.fsf@alrua-x1.kau.toke.dk> <52F371B3.5030406@thekelleys.org.uk> <87k3d8mna8.fsf@toke.dk> <52F3A3B2.8020201@thekelleys.org.uk> <87ppmw7ajj.fsf@toke.dk> <52F77349.40305@thekelleys.org.uk> <87lhxk78pa.fsf@toke.dk> <52F7EC3C.4060505@thekelleys.org.uk> <87bnyg55tp.fsf@toke.dk> <52F8BA64.2050401@thekelleys.org.uk> <871tzbgm36.fsf@toke.dk> <52F9023B.50504@thekelleys.org.uk> <878utinbsg.fsf@toke.dk> <52FA0AD1.7040703@thekelleys.org.uk> Date: Tue, 11 Feb 2014 15:01:09 +0100 In-Reply-To: <52FA0AD1.7040703@thekelleys.org.uk> (Simon Kelley's message of "Tue, 11 Feb 2014 11:34:41 +0000") Message-ID: <87mwhxkau2.fsf@toke.dk> Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Cc: cerowrt-devel@lists.bufferbloat.net Subject: Re: [Cerowrt-devel] Fwd: [Dnsmasq-discuss] Testers wanted: DNSSEC. X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Feb 2014 14:01:22 -0000 --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Simon Kelley writes: > I've just pushed a load of changes to git, and tagged 2.69test8 Built and installed on my cerowrt box, and seems to work beautifully: Tue Feb 11 14:44:38 2014 daemon.info dnsmasq[6162]: query[A] files.toke.dk = from 10.42.0.7 Tue Feb 11 14:44:38 2014 daemon.info dnsmasq[6162]: forwarded files.toke.dk= to 213.80.98.3 Tue Feb 11 14:44:38 2014 daemon.info dnsmasq[6162]: forwarded files.toke.dk= to 213.80.98.2 Tue Feb 11 14:44:38 2014 daemon.info dnsmasq[6162]: dnssec-query[DNSKEY] to= ke.dk to 213.80.98.2 Tue Feb 11 14:44:38 2014 daemon.info dnsmasq[6162]: dnssec-query[DS] toke.d= k to 213.80.98.2 Tue Feb 11 14:44:38 2014 daemon.info dnsmasq[6162]: dnssec-query[DNSKEY] dk= to 213.80.98.2 Tue Feb 11 14:44:38 2014 daemon.info dnsmasq[6162]: dnssec-query[DS] dk to = 213.80.98.2 Tue Feb 11 14:44:38 2014 daemon.info dnsmasq[6162]: dnssec-query[DNSKEY] . = to 213.80.98.2 Tue Feb 11 14:44:38 2014 daemon.info dnsmasq[6162]: reply . is DNSKEY keyta= g 33655 Tue Feb 11 14:44:38 2014 daemon.info dnsmasq[6162]: reply . is DNSKEY keyta= g 19036 Tue Feb 11 14:44:38 2014 daemon.info dnsmasq[6162]: reply dk is DS keytag 2= 6887 Tue Feb 11 14:44:38 2014 daemon.info dnsmasq[6162]: reply dk is DNSKEY keyt= ag 61294 Tue Feb 11 14:44:38 2014 daemon.info dnsmasq[6162]: reply dk is DNSKEY keyt= ag 31369 Tue Feb 11 14:44:38 2014 daemon.info dnsmasq[6162]: reply dk is DNSKEY keyt= ag 26887 Tue Feb 11 14:44:38 2014 daemon.info dnsmasq[6162]: reply dk is DNSKEY keyt= ag 7665 Tue Feb 11 14:44:38 2014 daemon.info dnsmasq[6162]: reply toke.dk is DS key= tag 65122 Tue Feb 11 14:44:38 2014 daemon.info dnsmasq[6162]: reply toke.dk is DNSKEY= keytag 22551 Tue Feb 11 14:44:38 2014 daemon.info dnsmasq[6162]: reply toke.dk is DNSKEY= keytag 65122 Tue Feb 11 14:44:38 2014 daemon.info dnsmasq[6162]: dnssec-query[DNSKEY] to= hojo.dk to 213.80.98.2 Tue Feb 11 14:44:38 2014 daemon.info dnsmasq[6162]: dnssec-query[DS] tohojo= .dk to 213.80.98.2 Tue Feb 11 14:44:38 2014 daemon.info dnsmasq[6162]: reply tohojo.dk is DS k= eytag 49471 Tue Feb 11 14:44:38 2014 daemon.info dnsmasq[6162]: reply tohojo.dk is DNSK= EY keytag 49471 Tue Feb 11 14:44:38 2014 daemon.info dnsmasq[6162]: reply tohojo.dk is DNSK= EY keytag 30141 Tue Feb 11 14:44:38 2014 daemon.info dnsmasq[6162]: validation result is SE= CURE Tue Feb 11 14:44:38 2014 daemon.info dnsmasq[6162]: reply files.toke.dk is = Tue Feb 11 14:44:38 2014 daemon.info dnsmasq[6162]: reply web2.tohojo.dk is= 144.76.141.113 Tue Feb 11 14:44:38 2014 daemon.info dnsmasq[6162]: query[AAAA] files.toke.= dk from 10.42.0.7 Tue Feb 11 14:44:38 2014 daemon.info dnsmasq[6162]: cached files.toke.dk is= Tue Feb 11 14:44:38 2014 daemon.info dnsmasq[6162]: forwarded files.toke.dk= to 213.80.98.2 Tue Feb 11 14:44:38 2014 daemon.info dnsmasq[6162]: validation result is SE= CURE Tue Feb 11 14:44:38 2014 daemon.info dnsmasq[6162]: reply files.toke.dk is = Tue Feb 11 14:44:38 2014 daemon.info dnsmasq[6162]: reply web2.tohojo.dk is= 2a01:4f8:200:3141::102 Tue Feb 11 14:44:38 2014 daemon.info dnsmasq[6162]: query[MX] files.toke.dk= from 10.42.0.7 Tue Feb 11 14:44:38 2014 daemon.info dnsmasq[6162]: forwarded files.toke.dk= to 213.80.98.2 Tue Feb 11 14:44:38 2014 daemon.info dnsmasq[6162]: validation result is SE= CURE As for client-side tests: $ dig +sigchase files.toke.dk @10.42.0.8=20 ...snip... Launch a query to find a RRset of type DS for zone: . ;; NO ANSWERS: no more ;; WARNING There is no DS for the zone: . ;; WE HAVE MATERIAL, WE NOW DO VALIDATION ;; VERIFYING DS RRset for dk. with DNSKEY:33655: success ;; OK We found DNSKEY (or more) to validate the RRset ;; Ok, find a Trusted Key in the DNSKEY RRset: 19036 ;; VERIFYING DNSKEY RRset for . with DNSKEY:19036: success ;; Ok this DNSKEY is a Trusted Key, DNSSEC validation is ok: SUCCESS I've also updated the x86 builds on OBS: https://build.opensuse.org/package/repositories/home:tohojo:dnsmasq/dnsmasq =2DToke --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQEcBAEBCAAGBQJS+i0lAAoJEENeEGz1+utPFPQH/j7vgQhuBngf3mhYPIWcId3l 6KYMkisw2BdpexQ9omGWuQ/edLOGdNuRNwQqRUdrBsKnx2YGvzzElhGVcVwXwBxL 211M+tgZjCPYsV9PMeWYvYWfo3bXjnzwOVQe1bXJTjpSmb5GvcnC2ECO2frfRUXw Z+acOSCW0kUOFmZX9+BJ4SaICQQXr/w1qxRlR/dWQ8QIZKnOZmN8Q4yxt4fOLqXs iP2smNpa7yPy3AenM9DtUZoVtYEbIiUKRtwJLgMRhVrnOiJ0bC0XH8bwTClFJvNP fevPfZR7l96vxZ1qMr2TpIx79LTDLEKCx4r92e1XzY2QaA2KQDgpwskWOZspws4= =QyH9 -----END PGP SIGNATURE----- --=-=-=--