[Cerowrt-devel] [Dnsmasq-discuss] test-ipv6.com vs dnssec

Török Edwin edwin+ml-cerowrt at etorok.net
Fri Apr 25 15:48:53 EDT 2014 

On 04/25/2014 10:43 PM, Török Edwin wrote:
> On 04/25/2014 09:49 PM, Simon Kelley wrote:
>> On 25/04/14 19:01, Jim Gettys wrote:
>>> More specifically, after boot, most of the time test-ipv6.com reports lots
>>> of problems.
>>>
>>> Then I turned off both dnssec and dnssec-check-unsigned, and restarted
>>> dnsmasq; clean bill of health from test-ipv6.com.
>>>
>>> Then I turned on dnssec only, leaving dnssec-check-unsigned, and got a
>>> clean bill of health.
>>>
>>> Then I turned on both at the same time, and things are working.
>>>
>>> So we seem to have a boot time race of some sort.
>>>                               - Jim
>>>
>>>
>>
>>
>> test-ipv6.com is unsigned, so the important thing which is likely
>> failing is the query for the DS record of test-ipv6.com, which should
>> return NSEC records providing it doesn't exist, signed by .com

Also retrieving those signatures seems to work (from the LAN):
$ dig +dnssec -t DS test-ipv6.com

; <<>> DiG 9.9.5-3-Debian <<>> +dnssec -t DS test-ipv6.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47250
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;test-ipv6.com.                 IN      DS

;; AUTHORITY SECTION:
com.                    874     IN      SOA     a.gtld-servers.net. nstld.verisign-grs.com. 1398455240 1800 900 604800 86400
com.                    874     IN      RRSIG   SOA 8 1 900 20140502194720 20140425183720 56657 com. Em3k/33z2feLqtirerPNVE4HwF+ZstYVtR+J7rowCn/++FnDtRv7OBZp rbtNBI90BQj23QjzEkrwaBmVfcFOQSNhdAIHFxPSqOPCWbxdwQxf18yi 3ifhorL9mUX7ir2AqLb57LX+sPaFYOlAPQSIie4+nELiXZfH4mQ2cEXr eLY=
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 874 IN RRSIG NSEC3 8 2 86400 20140501044827 20140424033827 56657 com. JUeicIqLHJIYo10Z0M2LbKefhiW3g2T45jv0l0wxZC/8fdKLCBqIpk2k cjy1CSs1pzpR58BZM3E7QfVMZO61ncCOnK1Zarry6Z0ZYMm54sL625dl MMfYMhMpLVuzbBaK8TJmX3jvQWR8bxkoEXYUy3bP7+x88lHPK6wYkJlB VSA=
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 874 IN NSEC3 1 1 0 - CK0QFMDQRCSRU0651QLVA1JQB21IF7UR NS SOA RRSIG DNSKEY NSEC3PARAM
ERPPHPFQOHA3Q5F237FVRROKA4N73V2M.com. 874 IN RRSIG NSEC3 8 2 86400 20140501112409 20140424101409 56657 com. Zbz49pAXUE4iYhGmN3ywbWpWECc4fdBkT2HBwApFLr4UGDG67YbjtxhI D4ihlqTCKZES4/zFp4DqdA45/ha6m6nKUfo4/hE2y/ljhGbx08GqY3Ba cBWvBrfnmS1EGU8Yh1VG8tQ5CYK8qO6isUIzyGaV4Wpn4SQmTEAmaqfn FHk=
ERPPHPFQOHA3Q5F237FVRROKA4N73V2M.com. 874 IN NSEC3 1 1 0 - ERPT5A7MVN31GIUL5DMRAU0K8N2IGLTI NS DS RRSIG

;; Query time: 29 msec
;; SERVER: 172.30.42.1#53(172.30.42.1)
;; WHEN: Fri Apr 25 22:48:01 EEST 2014
;; MSG SIZE  rcvd: 763


> 
> According to http://dnssec-debugger.verisignlabs.com/test-ipv6.com
> test-ipv6.com 	
> 	No DS records found for test-ipv6.com in the com zone
> 	Query to ns1.test-ipv6.com/216.218.228.118 for test-ipv6.com/DNSKEY timed out or failed
> 	Query to ns2.test-ipv6.com/209.128.193.197 for test-ipv6.com/DNSKEY timed out or failed
> 	Failed to get DNSKEY RR set for zone test-ipv6.com
> 	No response from test-ipv6.com nameservers
> 
> Compare this to a domain that works with check-unsigned on:
> openwrt.org 	
> 	No DS records found for openwrt.org in the org zone
> 	No DNSKEY records found
> 	openwrt.org A RR has value 78.24.191.177
> 	No RRSIGs found
> 
> Is the timeout/failed DNSKEY reply for test-ipv6.com the problem?
> 
> with dnssec-check-unsigned turned on (and no IPv6, just IPv4) I get this:
> dnsmasq: query[A] ipv4.test-ipv6.com from 172.30.42.12
> dnsmasq: forwarded ipv4.test-ipv6.com to 193.231.252.1
> dnsmasq: forwarded ipv4.test-ipv6.com to 213.154.124.1
> dnsmasq: dnssec-query[DS] ipv4.test-ipv6.com to 193.231.252.1
> dnsmasq: query[AAAA] ipv4.test-ipv6.com from 172.30.42.12
> dnsmasq: forwarded ipv4.test-ipv6.com to 193.231.252.1
> dnsmasq: dnssec-query[DS] ipv4.test-ipv6.com to 193.231.252.1
> dnsmasq: query[A] test-ipv6.com from 172.30.42.12
> dnsmasq: forwarded test-ipv6.com to 213.154.124.1
> dnsmasq: dnssec-query[DS] test-ipv6.com to 213.154.124.1
> dnsmasq: dnssec-query[DNSKEY] com to 213.154.124.1
> dnsmasq: dnssec-query[DS] com to 213.154.124.1
> dnsmasq: dnssec-query[DNSKEY] . to 213.154.124.1
> dnsmasq: reply . is DNSKEY keytag 40926
> dnsmasq: reply . is DNSKEY keytag 19036
> dnsmasq: reply com is DS keytag 30909
> dnsmasq: reply com is DNSKEY keytag 30909
> dnsmasq: reply com is DNSKEY keytag 56657
> dnsmasq: validation result is INSECURE
> dnsmasq: reply test-ipv6.com is 216.218.228.119
> dnsmasq: query[A] ipv4.test-ipv6.com.home.lan from 172.30.42.12
> dnsmasq: config ipv4.test-ipv6.com.home.lan is NXDOMAIN
> dnsmasq: query[AAAA] ipv4.test-ipv6.com.home.lan from 172.30.42.12
> dnsmasq: config ipv4.test-ipv6.com.home.lan is NXDOMAIN
> dnsmasq: query[A] ipv4.test-ipv6.com from 172.30.42.12
> dnsmasq: forwarded ipv4.test-ipv6.com to 213.154.124.1
> dnsmasq: dnssec-query[DS] ipv4.test-ipv6.com to 213.154.124.1
> dnsmasq: query[AAAA] ipv4.test-ipv6.com from 172.30.42.12
> dnsmasq: forwarded ipv4.test-ipv6.com to 213.154.124.1
> dnsmasq: query[A] ipv6.test-ipv6.com from 172.30.42.12
> dnsmasq: forwarded ipv6.test-ipv6.com to 213.154.124.1
> dnsmasq: dnssec-query[DS] ipv6.test-ipv6.com to 213.154.124.1
> dnsmasq: query[AAAA] ipv6.test-ipv6.com from 172.30.42.12
> dnsmasq: forwarded ipv6.test-ipv6.com to 213.154.124.1
> dnsmasq: dnssec-query[DS] ipv6.test-ipv6.com to 213.154.124.1
> dnsmasq: dnssec-query[DS] ipv4.test-ipv6.com to 213.154.124.1
> dnsmasq: query[A] ipv4.test-ipv6.com from 172.30.42.12
> dnsmasq: dnssec retry to 213.154.124.1
> dnsmasq: reply ipv4.test-ipv6.com is BOGUS DS
> dnsmasq: validation result is BOGUS
> dnsmasq: reply ipv4.test-ipv6.com is 216.218.228.119
> dnsmasq: forwarded ipv4.test-ipv6.com to 213.154.124.1
> dnsmasq: forwarded ipv4.test-ipv6.com to 193.231.252.1
> dnsmasq: query[AAAA] ipv4.test-ipv6.com from 172.30.42.12
> dnsmasq: dnssec retry to 213.154.124.1
> dnsmasq: query[A] ipv6.test-ipv6.com from 172.30.42.12
> dnsmasq: dnssec retry to 213.154.124.1
> dnsmasq: query[AAAA] ipv6.test-ipv6.com from 172.30.42.12
> dnsmasq: dnssec retry to 213.154.124.1
> dnsmasq: query[A] ipv4.test-ipv6.com.home.lan from 172.30.42.12
> dnsmasq: config ipv4.test-ipv6.com.home.lan is NXDOMAIN
> dnsmasq: query[AAAA] ipv4.test-ipv6.com.home.lan from 172.30.42.12
> dnsmasq: config ipv4.test-ipv6.com.home.lan is NXDOMAIN
> dnsmasq: forwarded ipv4.test-ipv6.com to 193.231.252.1
> dnsmasq: forwarded ipv4.test-ipv6.com to 213.154.124.1
> dnsmasq: forwarded ipv4.test-ipv6.com to 193.231.252.1
> dnsmasq: forwarded ipv4.test-ipv6.com to 213.154.124.1
> dnsmasq: query[A] ipv6.test-ipv6.com.home.lan from 172.30.42.12
> dnsmasq: config ipv6.test-ipv6.com.home.lan is NXDOMAIN
> dnsmasq: forwarded ipv6.test-ipv6.com to 193.231.252.1
> dnsmasq: forwarded ipv6.test-ipv6.com to 213.154.124.1
> dnsmasq: forwarded ipv6.test-ipv6.com to 193.231.252.1
> dnsmasq: forwarded ipv6.test-ipv6.com to 213.154.124.1
> dnsmasq: query[AAAA] ipv6.test-ipv6.com.home.lan from 172.30.42.12
> dnsmasq: config ipv6.test-ipv6.com.home.lan is NXDOMAIN
> dnsmasq: query[A] ipv4.test-ipv6.com from 172.30.42.12
> dnsmasq: forwarded ipv4.test-ipv6.com to 193.231.252.1
> dnsmasq: forwarded ipv4.test-ipv6.com to 213.154.124.1
> dnsmasq: dnssec-query[DS] ipv4.test-ipv6.com to 193.231.252.1
> dnsmasq: query[AAAA] ipv4.test-ipv6.com from 172.30.42.12
> dnsmasq: forwarded ipv4.test-ipv6.com to 193.231.252.1
> dnsmasq: dnssec-query[DS] ipv4.test-ipv6.com to 193.231.252.1
> dnsmasq: query[A] ipv6.test-ipv6.com from 172.30.42.12
> dnsmasq: forwarded ipv6.test-ipv6.com to 193.231.252.1
> dnsmasq: dnssec-query[DS] ipv6.test-ipv6.com to 193.231.252.1
> dnsmasq: query[AAAA] ipv6.test-ipv6.com from 172.30.42.12
> dnsmasq: forwarded ipv6.test-ipv6.com to 193.231.252.1
> dnsmasq: dnssec-query[DS] ipv6.test-ipv6.com to 193.231.252.1
> dnsmasq: query[A] ipv4.test-ipv6.com from 172.30.42.12
> dnsmasq: dnssec retry to 193.231.252.1
> dnsmasq: reply ipv4.test-ipv6.com is BOGUS DS
> dnsmasq: validation result is BOGUS
> dnsmasq: reply ipv4.test-ipv6.com is 216.218.228.119
> dnsmasq: reply ipv4.test-ipv6.com is BOGUS DS
> dnsmasq: validation result is BOGUS
> dnsmasq: reply ipv4.test-ipv6.com is NODATA-IPv6
> _______________________________________________
> Cerowrt-devel mailing list
> Cerowrt-devel at lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/cerowrt-devel
>

More information about the Cerowrt-devel mailing list