On 09/02/14 21:33, Toke Høiland-Jørgensen wrote:
Simon Kelley<[email protected]> writes:
It's possible, indeed that's happened during testing. Dave, could you
talk me through getting the latest dnsmasq package on the 3800 you
gave me?
The packages I've built are here:
http://archive.tohojo.dk/cerowrt/wndr/3.10.28-4-tohojo/packages/
They're packaged as libhogweed, libnettle, libgmp and dnsmasq-dhcpv6 --
dunno if they're installable without further ado on your box. But if so
you should be able to just download those four package files onto your
router (stick them in /tmp to avoid running out of flash) and calling
opkg to install them...
Note that here, the inception time for the signature of the DS is
20140208022128, UTC ie late yesterday. Are you sure your clock is
correct, time and _date_?
Double-checked the time, and yes, it is recent, including date. Reran
the queries, and dnsmasq still complains.
Please clould you post the result of running
dig @213.80.98.2 +dnssec ds dk
Seems to be the same:
;; ANSWER SECTION:
dk. 70561 IN DS 26887 8 2
A1AB8546B80E438A7DFE0EC559A7088EC5AED3C4E0D26B1B60ED3735 F853DFD7
dk. 70561 IN RRSIG DS 8 1 86400 20140216000000
20140208230000 33655 . MAKi0fADKyqZ3aQilK7pgilLZvZz7sYKjZsw4FVff/9RNEECtZf9FpbI
CD76X860kq6Ctf+zTKH5xvev44hYsER+0IVmN2YiMeMrFlGALIhZVOXN
f+MN2cUtIolOb518/lQXBMdmlYyC1Lo7GPTICIJ2w82poTTPRai3q/S9 2Qc=
Also, running it against the dnsmasq instance gives no output; dnsmasq
complains in the logs that validation failed. I.e:
$ dig @10.42.8.1 +dnssec ds dk
;<<>> DiG 9.9.2-P2<<>> @10.42.8.1 +dnssec ds dk
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 53752
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;dk. IN DS
;; Query time: 51 msec
;; SERVER: 10.42.8.1#53(10.42.8.1)
;; WHEN: Sun Feb 9 22:30:52 2014
;; MSG SIZE rcvd: 31
OK. One more question is this a general failure with all TLDS failing,
or is it limited to .dk?
I'll fire up the 3800 and see what I can find.......
That's not dnsmasq, it's the resolver in 10.42.8.106, probably because
/etc/resolv.conf has a search path configured and the wrong value for
ndots. See man resolv.conf for details.
Ah, right. Well it does try it without appending the domain first, so I
guess ndots is right (my man page says it defaults to 1). However, when
it fails (due to dnssec errors), it is retried with the domain appended;
which I thought was strange...
OK, so they're not hardwiring them either. Maybe the special-case
processing in dnsmasq that stops queries for DNSKEYS which are known
locally is not the right thing to do.
Well if you want to support clients tracing the dnssec results I guess
not? :)
I've just pushed a fix into git that should sort this one.
Cheers,
Simon.
-Toke
_______________________________________________
Cerowrt-devel mailing list
[email protected]
https://lists.bufferbloat.net/listinfo/cerowrt-devel
