[Cerowrt-devel] Fwd: [Dnsmasq-discuss] Testers wanted: DNSSEC.

Toke Høiland-Jørgensen toke at toke.dk
Thu Feb 6 08:42:49 EST 2014


Simon Kelley <simon at thekelleys.org.uk> writes:

> Otherwise, just the usual stuff, crashes, infinite loops, wrong answers.
> "internal error" log entries.

Right, another data point: got an invalid signature:

dnsmasq[21893]: query[A] www.tcpdump.org from 127.0.0.1
dnsmasq[21893]: forwarded www.tcpdump.org to 127.0.0.1
dnsmasq[21893]: validation result is BOGUS
dnsmasq[21893]: reply www.tcpdump.org is 69.4.231.52
dnsmasq[21893]: reply www.tcpdump.org is 132.213.238.6

Seems to be correct, though:

$ dig +trace +dnssec +sigchase www.tcpdump.org
...snip...

;; WE HAVE MATERIAL, WE NOW DO VALIDATION
;; VERIFYING A RRset for www.tcpdump.org. with DNSKEY:20163: RRSIG has expired
;; No DNSKEY is valid to check the RRSIG of the RRset: FAILED

Turning on dnssec-debug also "helps":

$ host www.tcpdump.org
www.tcpdump.org has address 69.4.231.52
www.tcpdump.org has address 132.213.238.6
www.tcpdump.org has RRSIG record A 5 3 60 20131226232352 20131126222352 20163 tcpdump.org. iyzWHZ5I6wkK6uZrmNg22SZnP2JKHN1LSE9Vo+PE3J1tbA9cPcVlas3v O8PtAGjzjP/TnGRaBSbni+Bwr6GJMRT1+S1Fw1aBCeTyioRmDPP0WS48 K6WULn5Mf35KNqzpHb+1YcvP2MeSp5oMVv3uFUjONlt7RqPHVTgfnR1L zy8=
www.tcpdump.org has IPv6 address 2607:f0d0:3001:62:1::52
www.tcpdump.org has IPv6 address 2001:4830:116e:2::6
www.tcpdump.org has RRSIG record AAAA 5 3 60 20131226232352 20131126222352 20163 tcpdump.org. L71XIeQLyVmZf4eXbBvefojm8qYhc/xAXR3S28pKBdeUgXl1DfePO8Il lUZhAXowKAw8H1529AglgW8HGAiJGwzoVefYz+GnZCg2N6AWoYM4gxve XwPtCDx51FAKkINkMX1XGqUIIX6Bq26RPcth0JSVCA+Fy+29ZxeitN36 sBk=


-Toke
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 489 bytes
Desc: not available
URL: <https://lists.bufferbloat.net/pipermail/cerowrt-devel/attachments/20140206/673a5dfe/attachment.sig>


More information about the Cerowrt-devel mailing list