I just committed a fix to this. Cheers,
Simon. On 17/07/15 10:54, Anders Kaseorg wrote: > csail.mit.edu is a signed zone inside the unsigned mit.edu zone. (It > happens to be registered in dlv.isc.org, but that’s not relevant to > dnsmasq.) Since an NSEC3 record in edu verifies that mit.edu is > unsigned, this should be fine. However, dnsmasq thinks that everything > in csail.mit.edu is BOGUS and returns SERVFAIL. This occurs even > without --dnssec-check-unsigned. > > Log output from current master: > > $ make COPTS='-DHAVE_DNSSEC' > $ src/dnsmasq -d --log-queries=extra --dnssec -C trust-anchors.conf -R > -S 8.8.8.8 > dnsmasq: started, version 2.74rc3 cachesize 150 > dnsmasq: compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN > DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth DNSSEC loop-detect inotify > dnsmasq: DNSSEC validation enabled > dnsmasq: using nameserver 8.8.8.8#53 > dnsmasq: read /etc/hosts - 7 addresses > dnsmasq: 1 127.0.0.1/42010 query[A] csail.mit.edu from 127.0.0.1 > dnsmasq: 1 127.0.0.1/42010 forwarded csail.mit.edu to 8.8.8.8 > dnsmasq: * 127.0.0.1/42010 dnssec-query[DNSKEY] csail.mit.edu to 8.8.8.8 > dnsmasq: * 127.0.0.1/42010 dnssec-query[DS] csail.mit.edu to 8.8.8.8 > dnsmasq: 1 127.0.0.1/42010 validation csail.mit.edu is BOGUS > dnsmasq: 1 127.0.0.1/42010 reply csail.mit.edu is 128.30.2.121 > > Some quick debugging shows that the translation from STAT_NO_SIG to > STAT_BOGUS occurs here at src/forward.c:854: > > else if (status == STAT_NO_NS || status == STAT_NO_SIG) > status = STAT_BOGUS; > > git bisect blames commit 97e618a0e3f29465acc689d87288596b006f197e > “DNSSEC: do top-down search for limit of secure delegation.” (For what > it’s worth, I know you put a lot of work into that commit at my > suggestion, so I don’t want to sound ungrateful or anything!) > > Anders > _______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss