For some reason, subsequent DNS queries do not always bring the same result here with the above configuration:
First queries after a reboot return what's expected: nicolas@nicolas-desktop:~ 0 $ dig www.dnssec-failed.org ; <<>> DiG 9.9.5-11ubuntu1.1-Ubuntu <<>> www.dnssec-failed.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 32530 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.dnssec-failed.org. IN A ;; Query time: 127 msec ;; SERVER: 127.0.1.1#53(127.0.1.1) ;; WHEN: Sat Jan 02 13:11:49 CET 2016 ;; MSG SIZE rcvd: 50 And then, suddenly: nicolas@nicolas-desktop:~ 0 $ dig www.dnssec-failed.org ; <<>> DiG 9.9.5-11ubuntu1.1-Ubuntu <<>> www.dnssec-failed.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21156 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.dnssec-failed.org. IN A ;; ANSWER SECTION: www.dnssec-failed.org. 3407 IN A 69.252.193.191 www.dnssec-failed.org. 3407 IN A 68.87.109.242 ;; Query time: 12 msec ;; SERVER: 127.0.1.1#53(127.0.1.1) ;; WHEN: Sat Jan 02 13:11:50 CET 2016 ;; MSG SIZE rcvd: 82 Do someone have an idea of what is going on? -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to network-manager in Ubuntu. https://bugs.launchpad.net/bugs/995332 Title: Please enhance NetworkManager such that DNSSEC validation is done whenever possible Status in dnsmasq package in Ubuntu: Invalid Status in network-manager package in Ubuntu: Triaged Bug description: Network Manager in Precise uses a local forwarding DNS server (dnsmasq). This does not perform DNSSEC validation, although it is configured to proxy the DNSSEC validation result from the upstream server, for which the manpage mentions the following caveat: "You should only do this if you trust all the configured upstream nameservers and the network between you and them." Since not all networks or upstream DNS servers are trustworthy, the safest place to perform DNSSEC validation is on the client. Using a local DNS server which cannot validate is a missed opportunity; by replacing dnsmasq with a more-capable DNS server (e.g. Unbound) security against DNS poisoning and MITM attacks could be improved. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/995332/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
