On 29/06/17 09:42, Hamish Moffatt wrote:
On 29/06/17 07:05, Simon Kelley wrote:
Your text says 2.75, but the log says 2.76. There's a significant
difference between the two in DNSSEC code.

First thing to do is to turn on --log-queries and arrange for the (quite
large) logs to go somewhere safe, if the router has limited storage.
That should give you information about why the validation is failing.


I meant 2.76. I will start logging and report back if I see the failure again (but two weeks in a row now).

This just happened again. Here are the logs from a couple of DNS lookups after it failed. I redacted the hostnames and IPs, hope it still makes sense.


ul 3 16:58:36 router daemon.info dnsmasq[10149]: query[A] foo2.foo.com from 192.168.42.2 Jul 3 16:58:36 router daemon.info dnsmasq[10149]: forwarded foo2.foo.com to 8.8.4.4 Jul 3 16:58:37 router daemon.info dnsmasq[10149]: query[A] foo2.foo.com from 192.168.42.2 Jul 3 16:58:37 router daemon.info dnsmasq[10149]: forwarded foo2.foo.com to 8.8.4.4 Jul 3 16:58:37 router daemon.info dnsmasq[10149]: dnssec-query[DNSKEY] foo.com to 8.8.4.4 Jul 3 16:58:37 router daemon.info dnsmasq[10149]: reply foo2.foo.com is <CNAME>
Jul  3 16:58:37 router daemon.info dnsmasq[10149]: reply foo.com is 2.2.2.2
Jul 3 16:58:37 router daemon.info dnsmasq[11219]: query[A] foo2.foo.com from 192.168.42.2 Jul 3 16:58:38 router daemon.info dnsmasq[11219]: forwarded foo2.foo.com to 8.8.4.4 Jul 3 16:58:38 router daemon.info dnsmasq[11219]: dnssec-query[DNSKEY] foo.com to 8.8.4.4 Jul 3 16:58:38 router daemon.info dnsmasq[11219]: validation foo2.foo.com is ABANDONED Jul 3 16:58:38 router daemon.info dnsmasq[11219]: reply foo2.foo.com is <CNAME>
Jul  3 16:58:38 router daemon.info dnsmasq[11219]: reply foo.com is 2.2.2.2
Jul 3 16:58:38 router daemon.info dnsmasq[10149]: query[A] foo2.foo.com from 192.168.42.2 Jul 3 16:58:38 router daemon.info dnsmasq[10149]: forwarded foo2.foo.com to 8.8.4.4 Jul 3 16:58:38 router daemon.info dnsmasq[10149]: dnssec-query[DNSKEY] foo.com to 8.8.4.4 Jul 3 16:58:38 router daemon.info dnsmasq[10149]: reply foo2.foo.com is <CNAME>
Jul  3 16:58:38 router daemon.info dnsmasq[10149]: reply foo.com is 2.2.2.2
Jul 3 16:58:38 router daemon.info dnsmasq[10149]: dnssec-query[DNSKEY] foo.com to 8.8.4.4 Jul 3 16:58:38 router daemon.info dnsmasq[10149]: reply foo2.foo.com is <CNAME>
Jul  3 16:58:38 router daemon.info dnsmasq[10149]: reply foo.com is 2.2.2.2
Jul 3 16:58:38 router daemon.info dnsmasq[11220]: query[A] foo2.foo.com from 192.168.42.2 Jul 3 16:58:38 router daemon.info dnsmasq[11220]: forwarded foo2.foo.com to 8.8.4.4 Jul 3 16:58:38 router daemon.info dnsmasq[11220]: dnssec-query[DNSKEY] foo.com to 8.8.4.4 Jul 3 16:58:38 router daemon.info dnsmasq[11220]: validation foo2.foo.com is ABANDONED Jul 3 16:58:38 router daemon.info dnsmasq[11220]: reply foo2.foo.com is <CNAME>
Jul  3 16:58:38 router daemon.info dnsmasq[11220]: reply foo.com is 2.2.2.2
Jul 3 16:58:38 router daemon.info dnsmasq[10149]: query[A] foo2.foo.com.cloud.net.au from 192.168.42.2 Jul 3 16:58:38 router daemon.info dnsmasq[10149]: forwarded foo2.foo.com.cloud.net.au to 8.8.4.4 Jul 3 16:58:38 router daemon.info dnsmasq[10149]: validation result is INSECURE Jul 3 16:58:38 router daemon.info dnsmasq[10149]: reply foo2.foo.com.cloud.net.au is NXDOMAIN

Jul 3 17:00:48 router daemon.info dnsmasq[11425]: dnssec-query[DNSKEY] foo.com to 8.8.8.8 Jul 3 17:00:48 router daemon.info dnsmasq[11425]: validation dev.foo.com is ABANDONED Jul 3 17:00:48 router daemon.info dnsmasq[11425]: reply dev.foo.com is <CNAME> Jul 3 17:00:48 router daemon.info dnsmasq[11425]: reply office-gw.foo.com.au is 1.1.1.1 Jul 3 17:00:48 router daemon.info dnsmasq[10149]: query[A] dev.foo.com.cloud.net.au from 192.168.42.2 Jul 3 17:00:48 router daemon.info dnsmasq[10149]: cached dev.foo.com.cloud.net.au is NXDOMAIN Jul 3 17:00:53 router daemon.info dnsmasq[10149]: query[A] docs.google.com from 192.168.42.2 Jul 3 17:00:53 router daemon.info dnsmasq[10149]: forwarded docs.google.com to 8.8.8.8 Jul 3 17:00:53 router daemon.info dnsmasq[10149]: validation result is INSECURE Jul 3 17:00:53 router daemon.info dnsmasq[10149]: reply docs.google.com is 216.58.200.110 Jul 3 17:01:02 router daemon.info dnsmasq[10149]: query[A] foo1.foo.com from 192.168.42.2 Jul 3 17:01:02 router daemon.info dnsmasq[10149]: forwarded foo1.foo.com to 8.8.8.8 Jul 3 17:01:02 router daemon.info dnsmasq[10149]: dnssec-query[DNSKEY] foo.com to 8.8.8.8 Jul 3 17:01:03 router daemon.info dnsmasq[10149]: reply foo1.foo.com is 2.2.2.2 Jul 3 17:01:03 router daemon.info dnsmasq[11427]: query[A] foo1.foo.com from 192.168.42.2 Jul 3 17:01:03 router daemon.info dnsmasq[11427]: forwarded foo1.foo.com to 8.8.8.8 Jul 3 17:01:03 router daemon.info dnsmasq[11427]: dnssec-query[DNSKEY] foo.com to 8.8.8.8 Jul 3 17:01:03 router daemon.info dnsmasq[11427]: validation foo1.foo.com is ABANDONED Jul 3 17:01:03 router daemon.info dnsmasq[11427]: reply foo1.foo.com is 2.2.2.2


Hamish

_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Reply via email to