[Cerowrt-devel] Fwd: [Dnsmasq-discuss] Testers wanted: DNSSEC.

Toke Høiland-Jørgensen toke at toke.dk
Sun Feb 9 16:33:54 EST 2014

Simon Kelley <simon at thekelleys.org.uk> writes:

> It's possible, indeed that's happened during testing. Dave, could you
> talk me through getting the latest dnsmasq package on the 3800 you
> gave me?

The packages I've built are here:

They're packaged as libhogweed, libnettle, libgmp and dnsmasq-dhcpv6 --
dunno if they're installable without further ado on your box. But if so
you should be able to just download those four package files onto your
router (stick them in /tmp to avoid running out of flash) and calling
opkg to install them...

> Note that here, the inception time for the signature of the DS is
> 20140208022128, UTC ie late yesterday. Are you sure your clock is
> correct, time and _date_?

Double-checked the time, and yes, it is recent, including date. Reran
the queries, and dnsmasq still complains.

> Please clould you post the result of running
> dig @ +dnssec ds dk

Seems to be the same:

dk.			70561	IN	DS	26887 8 2 A1AB8546B80E438A7DFE0EC559A7088EC5AED3C4E0D26B1B60ED3735 F853DFD7
dk.			70561	IN	RRSIG	DS 8 1 86400 20140216000000 20140208230000 33655 . MAKi0fADKyqZ3aQilK7pgilLZvZz7sYKjZsw4FVff/9RNEECtZf9FpbI CD76X860kq6Ctf+zTKH5xvev44hYsER+0IVmN2YiMeMrFlGALIhZVOXN f+MN2cUtIolOb518/lQXBMdmlYyC1Lo7GPTICIJ2w82poTTPRai3q/S9 2Qc=

Also, running it against the dnsmasq instance gives no output; dnsmasq
complains in the logs that validation failed. I.e:
$ dig @ +dnssec ds dk  

; <<>> DiG 9.9.2-P2 <<>> @ +dnssec ds dk
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 53752
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

; EDNS: version: 0, flags: do; udp: 4096
;dk.				IN	DS

;; Query time: 51 msec
;; WHEN: Sun Feb  9 22:30:52 2014
;; MSG SIZE  rcvd: 31

> That's not dnsmasq, it's the resolver in, probably because
> /etc/resolv.conf has a search path configured and the wrong value for
> ndots. See man resolv.conf for details.

Ah, right. Well it does try it without appending the domain first, so I
guess ndots is right (my man page says it defaults to 1). However, when
it fails (due to dnssec errors), it is retried with the domain appended;
which I thought was strange...

> OK, so they're not hardwiring them either. Maybe the special-case
> processing in dnsmasq that stops queries for DNSKEYS which are known
> locally is not the right thing to do.

Well if you want to support clients tracing the dnssec results I guess
not? :)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 489 bytes
Desc: not available
URL: <https://lists.bufferbloat.net/pipermail/cerowrt-devel/attachments/20140209/5775a79a/attachment.sig>

More information about the Cerowrt-devel mailing list