On 09/02/14 12:09, Toke Høiland-Jørgensen wrote:
OK, so I've tried building dnsmasq on cerowrt, from git head. It seems to have some trouble validating stuff: Sun Feb 9 13:04:24 2014 daemon.info dnsmasq[6456]: forwarded mail2.tohojo.dk to 213.80.98.2 Sun Feb 9 13:04:24 2014 daemon.info dnsmasq[6456]: dnssec-query[DNSKEY] tohojo.dk to 213.80.98.2 Sun Feb 9 13:04:24 2014 daemon.info dnsmasq[6456]: dnssec-query[DS] tohojo.dk to 213.80.98.2 Sun Feb 9 13:04:24 2014 daemon.info dnsmasq[6456]: dnssec-query[DNSKEY] dk to 213.80.98.2 Sun Feb 9 13:04:24 2014 daemon.info dnsmasq[6456]: dnssec-query[DS] dk to 213.80.98.2 Sun Feb 9 13:04:24 2014 daemon.info dnsmasq[6456]: reply dk is BOGUS DS Sun Feb 9 13:04:24 2014 daemon.info dnsmasq[6456]: validation result is BOGUS This is with dnssec-debug turned on.
Hmm, that domain validates for me here. It probably makes sense to turn dnssec-debug _off_. One of the things it does is to set the Checking Disabled bit in queries upstream. I'm advised that this is not a good thing to do, since it means the upstream nameserver can return teh first data it finds, even if it doesn't resolve, whilst without CD, the it will keep trying other authoritative servers to get valid data. I don't understand the details, but that would seem applicable here.
I'm not entirely sure how to go about debugging this, but FWIW this works: $ dig +dnssec +sigchase mail2.tohojo.dk @213.80.98.2 ...snip... ;; WE HAVE MATERIAL, WE NOW DO VALIDATION ;; VERIFYING DS RRset for dk. with DNSKEY:33655: success ;; OK We found DNSKEY (or more) to validate the RRset ;; Ok, find a Trusted Key in the DNSKEY RRset: 19036 ;; VERIFYING DNSKEY RRset for . with DNSKEY:19036: success ;; Ok this DNSKEY is a Trusted Key, DNSSEC validation is ok: SUCCESS Whereas going through the dnsmasq server fails: $ dig +dnssec +sigchase mail2.tohojo.dk @10.42.8.1 ...snip... ;; WE HAVE MATERIAL, WE NOW DO VALIDATION ;; VERIFYING DS RRset for tohojo.dk. with DNSKEY:61294: success ;; OK We found DNSKEY (or more) to validate the RRset ;; Now, we are going to validate this DNSKEY by the DS ;; OK a DS valids a DNSKEY in the RRset ;; Now verify that this DNSKEY validates the DNSKEY RRset ;; VERIFYING DNSKEY RRset for dk. with DNSKEY:26887: success ;; OK this DNSKEY (validated by the DS) validates the RRset of the DNSKEYs, thus the DNSKEY validates the RRset ;; Now, we want to validate the DS : recursive call Launch a query to find a RRset of type DNSKEY for zone: . ;; DNSKEYset that signs the RRset to chase: . 0 IN DNSKEY 256 3 8 AwEAAYRU41/8smgAvuSojEP4jaj5Yll7WPaUKpYvnz2pnX2VIvRn4jsy Jns80bloenG6X9ebJVy2CFtZQLKHP8DcKmIFotdgs2HolyocY1am/+33 4RtzusM2ojkhjn1FRGtuSE9s2TSz1ISv0yVnFyu+EP/ZkiWnDfWeVrJI SEWBEr4V . 0 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0= . 0 IN DNSKEY 256 3 8 AwEAAb8sU6pbYMWRbkRnEuEZw9NSir707TkOcF+UL1XiK4NDJOvXRyX1 95Am5dQ7bRnnuySZ3daf37vvjUUhuIWUAQ4stht8nJfYxVQXDYjSpGH5 I6Hf/0CZEoNP6cNvrQ7AFmKkmv00xWExKQjbvnRPI4bqpMwtHVzn6Wyb BZ6kuqED Launch a query to find a RRset of type RRSIG for zone: . ;; RRSIG for DNSKEY is missing to continue validation : FAILED Not really sure what to make of this?
OK, you've got to the trust-anchor root keys which are hardwired in as part of the dnsmasq configuration. As such, Dnsmasq assumes they are valid and doesn't need RRSIGs to check their self-signing. As the signatures aren't known, they are not supplied with a query for DNSKEY of the root zone. That may be wrong. When providing trust anchors to eg BIND) is it possible/normal to provide the SIGS too?
Cheers, Simon.
-Toke
_______________________________________________ Cerowrt-devel mailing list [email protected] https://lists.bufferbloat.net/listinfo/cerowrt-devel
