[Cerowrt-devel] Fwd: [Dnsmasq-discuss] Testers wanted: DNSSEC.
Toke Høiland-Jørgensen
toke at toke.dk
Sun Feb 9 07:09:04 EST 2014
OK, so I've tried building dnsmasq on cerowrt, from git head. It seems
to have some trouble validating stuff:
Sun Feb 9 13:04:24 2014 daemon.info dnsmasq[6456]: forwarded mail2.tohojo.dk to 213.80.98.2
Sun Feb 9 13:04:24 2014 daemon.info dnsmasq[6456]: dnssec-query[DNSKEY] tohojo.dk to 213.80.98.2
Sun Feb 9 13:04:24 2014 daemon.info dnsmasq[6456]: dnssec-query[DS] tohojo.dk to 213.80.98.2
Sun Feb 9 13:04:24 2014 daemon.info dnsmasq[6456]: dnssec-query[DNSKEY] dk to 213.80.98.2
Sun Feb 9 13:04:24 2014 daemon.info dnsmasq[6456]: dnssec-query[DS] dk to 213.80.98.2
Sun Feb 9 13:04:24 2014 daemon.info dnsmasq[6456]: reply dk is BOGUS DS
Sun Feb 9 13:04:24 2014 daemon.info dnsmasq[6456]: validation result is BOGUS
This is with dnssec-debug turned on.
I'm not entirely sure how to go about debugging this, but FWIW this
works:
$ dig +dnssec +sigchase mail2.tohojo.dk @213.80.98.2
...snip...
;; WE HAVE MATERIAL, WE NOW DO VALIDATION
;; VERIFYING DS RRset for dk. with DNSKEY:33655: success
;; OK We found DNSKEY (or more) to validate the RRset
;; Ok, find a Trusted Key in the DNSKEY RRset: 19036
;; VERIFYING DNSKEY RRset for . with DNSKEY:19036: success
;; Ok this DNSKEY is a Trusted Key, DNSSEC validation is ok: SUCCESS
Whereas going through the dnsmasq server fails:
$ dig +dnssec +sigchase mail2.tohojo.dk @10.42.8.1
...snip...
;; WE HAVE MATERIAL, WE NOW DO VALIDATION
;; VERIFYING DS RRset for tohojo.dk. with DNSKEY:61294: success
;; OK We found DNSKEY (or more) to validate the RRset
;; Now, we are going to validate this DNSKEY by the DS
;; OK a DS valids a DNSKEY in the RRset
;; Now verify that this DNSKEY validates the DNSKEY RRset
;; VERIFYING DNSKEY RRset for dk. with DNSKEY:26887: success
;; OK this DNSKEY (validated by the DS) validates the RRset of the DNSKEYs, thus the DNSKEY validates the RRset
;; Now, we want to validate the DS : recursive call
Launch a query to find a RRset of type DNSKEY for zone: .
;; DNSKEYset that signs the RRset to chase:
. 0 IN DNSKEY 256 3 8 AwEAAYRU41/8smgAvuSojEP4jaj5Yll7WPaUKpYvnz2pnX2VIvRn4jsy Jns80bloenG6X9ebJVy2CFtZQLKHP8DcKmIFotdgs2HolyocY1am/+33 4RtzusM2ojkhjn1FRGtuSE9s2TSz1ISv0yVnFyu+EP/ZkiWnDfWeVrJI SEWBEr4V
. 0 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=
. 0 IN DNSKEY 256 3 8 AwEAAb8sU6pbYMWRbkRnEuEZw9NSir707TkOcF+UL1XiK4NDJOvXRyX1 95Am5dQ7bRnnuySZ3daf37vvjUUhuIWUAQ4stht8nJfYxVQXDYjSpGH5 I6Hf/0CZEoNP6cNvrQ7AFmKkmv00xWExKQjbvnRPI4bqpMwtHVzn6Wyb BZ6kuqED
Launch a query to find a RRset of type RRSIG for zone: .
;; RRSIG for DNSKEY is missing to continue validation : FAILED
Not really sure what to make of this?
-Toke
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 489 bytes
Desc: not available
URL: <https://lists.bufferbloat.net/pipermail/cerowrt-devel/attachments/20140209/a398f448/attachment.sig>
More information about the Cerowrt-devel
mailing list