I've recently enabled DNSSEC on dnsmasq, and signed a zone that I work with a lot.

It works for a while (dig shows the AD (authentic data) flag on signed zones), but after about a week, I start getting lookup failures for that zone until I restart dnsmasq. Then it works for another week. The DNSSEC verifier at https://dnssec-debugger.verisignlabs.com/ says the domain is fine.


There's nothing in the log file, though I am not logging all queries.


I have version 2.75. It's baked into my router firmware (Tomato Shibby) so I can't easily try the very latest. The DNSSEC-related part of my config is

dnssec

conf-file=/etc/trust-anchors.conf


And the trust-anchors.conf says

trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
trust-anchor=.,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D



Jun 28 10:11:54 router daemon.info dnsmasq[9632]: started, version 2.76 cachesize 4096 Jun 28 10:11:54 router daemon.info dnsmasq[9632]: compile time options: IPv6 GNU-getopt no-RTC no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset Tomato-helper a
uth DNSSEC loop-detect no-inotify
Jun 28 10:11:54 router daemon.info dnsmasq[9632]: DNSSEC validation enabled
Jun 28 10:11:54 router daemon.info dnsmasq[9632]: asynchronous logging enabled, queue limit is 5 messages Jun 28 10:11:54 router daemon.info dnsmasq-dhcp[9632]: DHCP, IP range 192.168.42.20 -- 192.168.42.254, lease time 1d Jun 28 10:11:54 router daemon.info dnsmasq[9632]: reading /etc/resolv.dnsmasq Jun 28 10:11:54 router daemon.info dnsmasq[9632]: using nameserver 8.8.8.8#53 Jun 28 10:11:54 router daemon.info dnsmasq[9632]: using nameserver 8.8.4.4#53 Jun 28 10:11:54 router daemon.info dnsmasq[9632]: read /etc/hosts - 2 addresses Jun 28 10:11:54 router daemon.info dnsmasq[9632]: read /etc/dnsmasq/hosts/hosts - 12 addresses Jun 28 10:11:54 router daemon.info dnsmasq-dhcp[9632]: read /etc/dnsmasq/dhcp/dhcp-hosts


Is there anything else I can check?



Thanks


Hamish


_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Reply via email to