[Cerowrt-devel] Fwd: [Dnsmasq-discuss] Testers wanted: DNSSEC.

Simon Kelley simon at thekelleys.org.uk
Sun Feb 9 07:23:37 EST 2014


On 09/02/14 12:09, Toke Høiland-Jørgensen wrote:
>
> OK, so I've tried building dnsmasq on cerowrt, from git head. It seems
> to have some trouble validating stuff:
>
> Sun Feb  9 13:04:24 2014 daemon.info dnsmasq[6456]: forwarded mail2.tohojo.dk to 213.80.98.2
> Sun Feb  9 13:04:24 2014 daemon.info dnsmasq[6456]: dnssec-query[DNSKEY] tohojo.dk to 213.80.98.2
> Sun Feb  9 13:04:24 2014 daemon.info dnsmasq[6456]: dnssec-query[DS] tohojo.dk to 213.80.98.2
> Sun Feb  9 13:04:24 2014 daemon.info dnsmasq[6456]: dnssec-query[DNSKEY] dk to 213.80.98.2
> Sun Feb  9 13:04:24 2014 daemon.info dnsmasq[6456]: dnssec-query[DS] dk to 213.80.98.2
> Sun Feb  9 13:04:24 2014 daemon.info dnsmasq[6456]: reply dk is BOGUS DS
> Sun Feb  9 13:04:24 2014 daemon.info dnsmasq[6456]: validation result is BOGUS
>
> This is with dnssec-debug turned on.

Hmm, that domain validates for me here. It probably makes sense to turn 
dnssec-debug _off_. One of the things it does is to set the Checking 
Disabled bit in queries upstream. I'm advised that this is not a good 
thing to do, since it means the upstream nameserver can return teh first 
data it finds, even if it doesn't resolve, whilst without CD, the it 
will keep trying other authoritative servers to get valid data. I don't 
understand the details, but that would seem applicable here.
>
> I'm not entirely sure how to go about debugging this, but FWIW this
> works:
>
> $ dig +dnssec +sigchase mail2.tohojo.dk @213.80.98.2
> ...snip...
> ;; WE HAVE MATERIAL, WE NOW DO VALIDATION
> ;; VERIFYING DS RRset for dk. with DNSKEY:33655: success
> ;; OK We found DNSKEY (or more) to validate the RRset
> ;; Ok, find a Trusted Key in the DNSKEY RRset: 19036
> ;; VERIFYING DNSKEY RRset for . with DNSKEY:19036: success
>
> ;; Ok this DNSKEY is a Trusted Key, DNSSEC validation is ok: SUCCESS
>
>
> Whereas going through the dnsmasq server fails:
> $ dig +dnssec +sigchase mail2.tohojo.dk @10.42.8.1
> ...snip...
> ;; WE HAVE MATERIAL, WE NOW DO VALIDATION
> ;; VERIFYING DS RRset for tohojo.dk. with DNSKEY:61294: success
> ;; OK We found DNSKEY (or more) to validate the RRset
> ;; Now, we are going to validate this DNSKEY by the DS
> ;; OK a DS valids a DNSKEY in the RRset
> ;; Now verify that this DNSKEY validates the DNSKEY RRset
> ;; VERIFYING DNSKEY RRset for dk. with DNSKEY:26887: success
> ;; OK this DNSKEY (validated by the DS) validates the RRset of the DNSKEYs, thus the DNSKEY validates the RRset
> ;; Now, we want to validate the DS :  recursive call
>
>
> Launch a query to find a RRset of type DNSKEY for zone: .
>
> ;; DNSKEYset that signs the RRset to chase:
> .			0	IN	DNSKEY	256 3 8 AwEAAYRU41/8smgAvuSojEP4jaj5Yll7WPaUKpYvnz2pnX2VIvRn4jsy Jns80bloenG6X9ebJVy2CFtZQLKHP8DcKmIFotdgs2HolyocY1am/+33 4RtzusM2ojkhjn1FRGtuSE9s2TSz1ISv0yVnFyu+EP/ZkiWnDfWeVrJI SEWBEr4V
> .			0	IN	DNSKEY	257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=
> .			0	IN	DNSKEY	256 3 8 AwEAAb8sU6pbYMWRbkRnEuEZw9NSir707TkOcF+UL1XiK4NDJOvXRyX1 95Am5dQ7bRnnuySZ3daf37vvjUUhuIWUAQ4stht8nJfYxVQXDYjSpGH5 I6Hf/0CZEoNP6cNvrQ7AFmKkmv00xWExKQjbvnRPI4bqpMwtHVzn6Wyb BZ6kuqED
>
>
>
> Launch a query to find a RRset of type RRSIG for zone: .
>
> ;; RRSIG for DNSKEY  is missing  to continue validation : FAILED
>
>
>
> Not really sure what to make of this?

OK, you've got to the trust-anchor root keys which are hardwired in as 
part of the dnsmasq configuration. As such, Dnsmasq assumes they are 
valid and doesn't need RRSIGs to check their self-signing. As the 
signatures aren't known, they are not supplied with a query for DNSKEY 
of the root zone. That may be wrong. When providing trust anchors to eg 
BIND) is it possible/normal to provide the SIGS too?

Cheers,

Simon.
>
> -Toke
>




More information about the Cerowrt-devel mailing list