From: Dave Taht <dave.taht@gmail.com>
To: "Toke Høiland-Jørgensen" <toke@toke.dk>
Cc: "cerowrt-devel@lists.bufferbloat.net"
<cerowrt-devel@lists.bufferbloat.net>
Subject: Re: [Cerowrt-devel] Fwd: [Dnsmasq-discuss] Testers wanted: DNSSEC.
Date: Sun, 9 Feb 2014 10:04:55 -0800 [thread overview]
Message-ID: <CAA93jw7CvCyLxNj7KYnN9FtFxA-0u4q8JcSe73574ojjUZj4Jg@mail.gmail.com> (raw)
In-Reply-To: <87lhxk78pa.fsf@toke.dk>
Got the right time?
I have no idea how to deal with the time headache still, besides adding
an un-validating-resolver to ntpdate, and sanity checks in dnsmasq like
(if system time is < my build time, don't do dnssec) - but the latter
is imperfect.
http://www.bufferbloat.net/issues/113
On Sun, Feb 9, 2014 at 4:48 AM, Toke Høiland-Jørgensen <toke@toke.dk> wrote:
> Simon Kelley <simon@thekelleys.org.uk> writes:
>
>> Hmm, that domain validates for me here. It probably makes sense to
>> turn dnssec-debug _off_. One of the things it does is to set the
>> Checking Disabled bit in queries upstream. I'm advised that this is
>> not a good thing to do, since it means the upstream nameserver can
>> return teh first data it finds, even if it doesn't resolve, whilst
>> without CD, the it will keep trying other authoritative servers to get
>> valid data. I don't understand the details, but that would seem
>> applicable here.
>
> Well, turning off dnssec-debug just means I have no name resolution for
> such domains:
>
> $ dig +dnssec +sigchase mail2.tohojo.dk @10.42.8.1 :(
> ;; NO ANSWERS: no more
> We want to prove the non-existence of a type of rdata 1 or of the zone:
> ;; nothing in authority section : impossible to validate the non-existence : FAILED
>
> ;; Impossible to verify the Non-existence, the NSEC RRset can't be validated: FAILED
>
> $ host mail2.tohojo.dk 10.42.8.1
> Using domain server:
> Name: 10.42.8.1
> Address: 10.42.8.1#53
> Aliases:
>
> Host mail2.tohojo.dk not found: 3(NXDOMAIN)
>
>
> And the dnsmasq logs:
>
> Sun Feb 9 13:45:22 2014 daemon.info dnsmasq[6698]: query[A] mail2.tohojo.dk from 10.42.8.106
> Sun Feb 9 13:45:22 2014 daemon.info dnsmasq[6698]: forwarded mail2.tohojo.dk to 213.80.98.3
> Sun Feb 9 13:45:22 2014 daemon.info dnsmasq[6698]: forwarded mail2.tohojo.dk to 213.80.98.2
> Sun Feb 9 13:45:22 2014 daemon.info dnsmasq[6698]: dnssec-query[DNSKEY] tohojo.dk to 213.80.98.2
> Sun Feb 9 13:45:22 2014 daemon.info dnsmasq[6698]: dnssec-query[DS] tohojo.dk to 213.80.98.2
> Sun Feb 9 13:45:22 2014 daemon.info dnsmasq[6698]: dnssec-query[DNSKEY] dk to 213.80.98.2
> Sun Feb 9 13:45:22 2014 daemon.info dnsmasq[6698]: dnssec-query[DS] dk to 213.80.98.2
> Sun Feb 9 13:45:22 2014 daemon.info dnsmasq[6698]: reply dk is BOGUS DS
> Sun Feb 9 13:45:22 2014 daemon.info dnsmasq[6698]: validation result is BOGUS
> Sun Feb 9 13:45:22 2014 daemon.info dnsmasq[6698]: reply mail2.tohojo.dk is 144.76.141.112
> Sun Feb 9 13:45:32 2014 daemon.info dnsmasq[6698]: query[A] mail2.tohojo.dk from 10.42.8.106
> Sun Feb 9 13:45:32 2014 daemon.info dnsmasq[6698]: forwarded mail2.tohojo.dk to 213.80.98.2
> Sun Feb 9 13:45:32 2014 daemon.info dnsmasq[6698]: dnssec-query[DNSKEY] tohojo.dk to 213.80.98.2
> Sun Feb 9 13:45:32 2014 daemon.info dnsmasq[6698]: dnssec-query[DS] tohojo.dk to 213.80.98.2
> Sun Feb 9 13:45:32 2014 daemon.info dnsmasq[6698]: dnssec-query[DNSKEY] dk to 213.80.98.2
> Sun Feb 9 13:45:32 2014 daemon.info dnsmasq[6698]: dnssec-query[DS] dk to 213.80.98.2
> Sun Feb 9 13:45:32 2014 daemon.info dnsmasq[6698]: reply dk is BOGUS DS
> Sun Feb 9 13:45:32 2014 daemon.info dnsmasq[6698]: validation result is BOGUS
> Sun Feb 9 13:45:32 2014 daemon.info dnsmasq[6698]: reply mail2.tohojo.dk is 144.76.141.112
>
> It works on my other machine that's not running on cerowrt; so perhaps
> it's something architecture-specific?
>
>
>
> Interestingly, after failing a DNSSEC resolution, dnsmasq then tries to
> append the configured domain:
>
> Sun Feb 9 13:45:32 2014 daemon.info dnsmasq[6698]: query[A] mail2.tohojo.dk.karlstad.toke.dk from 10.42.8.106
> Sun Feb 9 13:45:32 2014 daemon.info dnsmasq[6698]: config mail2.tohojo.dk.karlstad.toke.dk is NXDOMAIN
>
> This is probably not desirable?
>
>> OK, you've got to the trust-anchor root keys which are hardwired in as
>> part of the dnsmasq configuration. As such, Dnsmasq assumes they are
>> valid and doesn't need RRSIGs to check their self-signing. As the
>> signatures aren't known, they are not supplied with a query for DNSKEY
>> of the root zone. That may be wrong. When providing trust anchors to
>> eg BIND) is it possible/normal to provide the SIGS too?
>
> I suppose it does (?). The file usually supplied with BIND is available here:
>
> http://ftp.isc.org/isc/bind9/keys/9.8/
>
> -Toke
>
> _______________________________________________
> Cerowrt-devel mailing list
> Cerowrt-devel@lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/cerowrt-devel
>
--
Dave Täht
Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.html
next prev parent reply other threads:[~2014-02-09 18:04 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-02-04 16:20 Dave Taht
2014-02-05 7:13 ` Toke Høiland-Jørgensen
2014-02-05 17:10 ` Toke Høiland-Jørgensen
2014-02-05 19:51 ` Simon Kelley
2014-02-05 20:09 ` Toke Høiland-Jørgensen
2014-02-05 22:26 ` Simon Kelley
2014-02-06 7:28 ` Toke Høiland-Jørgensen
2014-02-06 10:53 ` Simon Kelley
2014-02-06 10:57 ` Toke Høiland-Jørgensen
2014-02-06 11:27 ` Simon Kelley
2014-02-06 12:35 ` Toke Høiland-Jørgensen
2014-02-06 15:01 ` Simon Kelley
2014-02-09 12:09 ` Toke Høiland-Jørgensen
2014-02-09 12:23 ` Simon Kelley
2014-02-09 12:48 ` Toke Høiland-Jørgensen
2014-02-09 18:04 ` Dave Taht [this message]
2014-02-09 18:47 ` Toke Høiland-Jørgensen
2014-02-09 21:02 ` Simon Kelley
2014-02-09 20:59 ` Simon Kelley
2014-02-09 21:07 ` Dave Taht
2014-02-09 21:16 ` Toke Høiland-Jørgensen
2014-02-09 21:33 ` Toke Høiland-Jørgensen
2014-02-10 10:50 ` Simon Kelley
2014-02-10 11:39 ` Simon Kelley
2014-02-10 12:59 ` Toke Høiland-Jørgensen
2014-02-10 16:45 ` Simon Kelley
2014-02-10 16:59 ` Toke Høiland-Jørgensen
2014-02-10 17:12 ` Simon Kelley
2014-02-10 17:14 ` Dave Taht
2014-02-10 21:47 ` Simon Kelley
2014-02-11 11:34 ` Simon Kelley
2014-02-11 14:01 ` Toke Høiland-Jørgensen
2014-02-11 15:51 ` Simon Kelley
2014-02-11 16:25 ` Toke Høiland-Jørgensen
2014-02-06 13:42 ` Toke Høiland-Jørgensen
2014-02-06 14:40 ` Simon Kelley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://lists.bufferbloat.net/postorius/lists/cerowrt-devel.lists.bufferbloat.net/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAA93jw7CvCyLxNj7KYnN9FtFxA-0u4q8JcSe73574ojjUZj4Jg@mail.gmail.com \
--to=dave.taht@gmail.com \
--cc=cerowrt-devel@lists.bufferbloat.net \
--cc=toke@toke.dk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox