On 10/07/16 09:21, Marcel Mutter wrote: > I have enabled a few weeks ago DNSSEC and all seems to be working. > Yesterday I wanted to visit Mozilla.org and nothing happened. I see in > that the request is being sent to the upstream nameserver however > nothing is displayed by dnsmasq as response, I am running then "dnsmasq > -d" with log enabled so I can see in realtime the output. > > dnsmasq: query[A] ftp.mozilla.org from 192.168.xxx.xxx > dnsmasq: forwarded ftp.mozilla.org to 194.109.9.99 > dnsmasq: dnssec-query[DS] org to 194.109.9.99 > dnsmasq: dnssec-query[DNSKEY] . to 194.109.9.99 > dnsmasq: reply . is DNSKEY keytag 19036, algo 8 > dnsmasq: reply . is DNSKEY keytag 60615, algo 8 > dnsmasq: reply . is DNSKEY keytag 46551, algo 8 > dnsmasq: reply org is DS keytag 9795, algo 7, digest 1 > dnsmasq: reply org is DS keytag 9795, algo 7, digest 2 > dnsmasq: dnssec-query[DS] mozilla.org to 194.109.9.99 > dnsmasq: dnssec-query[DNSKEY] org to 194.109.9.99 > dnsmasq: reply org is DNSKEY keytag 2097, algo 7 > dnsmasq: reply org is DNSKEY keytag 3177, algo 7 > dnsmasq: reply org is DNSKEY keytag 9795, algo 7 > dnsmasq: reply org is DNSKEY keytag 17883, algo 7 > dnsmasq: reply mozilla.org is DS keytag 44421, algo 7, digest 1 > dnsmasq: dnssec-query[DNSKEY] mozilla.org to 194.109.9.99 > > Also the same with mozilla.org and mozilla.com and firefox.com > > The upstreamserver 194.109.9.99 is using Unbound. > > When I directly to the upstream nameserver I get a good response. I am > running dnsmasq 2.76-1 for Debian on the moment and I have updated it a > few a hours ago from 2.72-3. >
I just tried all those domains using 2.76 and 8.8.8.8 upstream and all behaved correctly. 194.109.9.99 won't talk to me, so I can't try that. The upstream is clearly answering the direct question OK, but the stalling of some of the DNSSEC queries needed to verify it. That could be an upstream problem, or a problem with the authoritative servers for the domain. ftp.mozilla.org is signed, but it's a CNAME to cloudfront.org, so the DS from .org proving that cloudfront.org is not signed is also required. Are you still seeing the problem now, or has this resolved itself? Cheers, Simon. _______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss