Dear Simon,

good to hear this!
SERVFAIL logging will be useful for a few things (mostly troubleshooting).

I attach the output of the two commands you asked me to run (port 5353
is my local unbound, port 53 is dnsmasq).

Best,
Dominik


On 04.05.2018 16:35, Simon Kelley wrote:
> It could certainly be added, and would be useful thing to do.
>
> I'm actually more interested in the wrong/strange behaviour you mention,
> since there's some evidence of this, and it seems to be problems with
> the answers from upstream servers, but we can't identify which servers
> are causing the problem.
>
> Please could you try the following two queries _to_your_unbound_server_
> and report the results?
>
>
> dig +dnssec ds archive.raspberrypi.org
>
>
> dig +vc +dnssec ds archive.raspberrypi.org
>
>
>
> Cheers,
>
> Simon.
>
>
> On 28/04/18 10:40, Dominik wrote:
>> Dear dnsmasq list members,
>>
>> I'm running an unbound recursive DNS server. It is the only forwarding
>> destination of my local dnsmasq instance. The unbound resolver is aware
>> of DNSSEC and handles it well. I have NOT enabled DNSSEC support in
>> dnsmasq itself, as it was sometimes giving wrong/strange behavior (the
>> same domains were sometimes SECURE, sometimes BOGUS). I'm running
>> dnsmasq 2.79.
>>
>> If I query a BOGUS domain directly from my unbound resolver (e.g., dig
>> www.dnssec-failed.org), I'm getting a SERVFAIL response. dnsmasq simply
>> forwards this SERVFAIL to the requesting client and hence they are
>> protected against BOGUS domain records just as expected.
>>
>> However, looking into dnsmasq's log file, I only see
>>
>> Apr 28 11:36:13 dnsmasq[440]: 132 192.168.2.209/43506 query[A]
>> www.dnssec-failed.org from 192.168.2.209
>> Apr 28 11:36:13 dnsmasq[440]: 132 192.168.2.209/43506 forwarded
>> www.dnssec-failed.org to 127.0.0.1
>>
>> The SERVFAIL event is never logged.
>>
>> Could this be added without too much effort?
>>
>> Best regards,
>> Dominik
>>
>>
>> _______________________________________________
>> Dnsmasq-discuss mailing list
>> Dnsmasq-discuss@lists.thekelleys.org.uk
>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss@lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss


$ dig +dnssec ds archive.raspberrypi.org -p 5353

; <<>> DiG 9.9.5-9+deb8u15-Raspbian <<>> +dnssec ds archive.raspberrypi.org -p 
5353
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43011
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;archive.raspberrypi.org.       IN      DS

;; ANSWER SECTION:
archive.raspberrypi.org. 3600   IN      CNAME   lb.raspberrypi.org.
archive.raspberrypi.org. 3600   IN      RRSIG   CNAME 10 3 300 20180528081727 
20180428073456 33908 raspberrypi.org. 
ZjEtTgtRTsfE1WLN2i6zeAKEMPnZozrci7KFW036E3LHD+ddvC8FAV7O 
/9pzyafh2NEYXU2eCgejELSA/xkyId3NHLdZKY1qoC3GCnNd2gPjm9F+ 
uqhvMNecv6XWA7+rXgY7gHBNm0hIZF1pV9CJeROz/ciCMIBIBfyJ3dGG 
jpAzTU7UkRLPJZsNrdPP1ogcEGAwiWEXAj9YsWBzYoeulDGign1fFG5q 
5zzBLOVLlaz2d5cppUu7cGs5r3R97iEpKKK8WB/3+nTgMe2pSdqJDEHG 
QQp8NJeRFHU2RgNjDobKWOo/tA4z5/7jMHUS+FHJnJ3FqbxAbRX+tA44 yn8Tkw==

;; AUTHORITY SECTION:
lb.raspberrypi.org.     3600    IN      NSEC    lb-hex-1.raspberrypi.org. A 
AAAA RRSIG NSEC
lb.raspberrypi.org.     3600    IN      RRSIG   NSEC 10 3 3600 20180528082714 
20180428073456 33908 raspberrypi.org. 
AzPZCiJ3PmC9LtutcnYk0/jt9b2SIrUhIJKyzT2DwqLQXs7jYz5iPZAX 
lKU0bjnHX/2qYOIaI+PYCq6Nz5UmkzMT/OK7op2iHY4J/j96v6JsAQS6 
RrKBE41lUEbdqZAkmidNn/S8eaA26ucI89ZutB0mL0MBhCb49sCN8kbu 
mqvk2Z2ttMIqzgcwjhaRnLJO+Vbkm6kANAYt/V3wJOtktF3dpClP/wur 
zSOzDwcwDly+ceoaYXSc8HhPm3JHjQrjYZiM5mZbdAM0YKH+8skMj95i 
8PrmZ79UnCkbgdOTfh6qrDQeNx8Q3HtgIY/8zw10qYuqaN44hBN7jSBW bTAFcw==
raspberrypi.org.        3600    IN      SOA     ns2.mythic-beasts.com. 
hostmaster.mythic-beasts.com. 2010014918 21600 7200 604800 3600
raspberrypi.org.        3600    IN      RRSIG   SOA 10 2 86400 20180603162813 
20180504152813 33908 raspberrypi.org. 
khxJzk4RX08tVBWRIVldkXAheDNY+Twpw7sUmpEA3i8ngcl25CGgABAA 
Kjdg/gNHnhQ9i4ZwXmCjhjawTquPWClxLSLAhiAw051XDUs8zjFUa0yh 
BoFSZ2wnem6YNRWN8iskLwH5HczbauzYYb8/KQpRIBWBoBM6tlAaRFsX 
pj26ZswuDINiC8RoPaf13NmtTFhl51fNJfLXQgruQbPixRxh5+7ERQTk 
MMa7GlQvWusSxDXJ3P7wlucn6Y7ZbifYonK2RUP6vXb163hdNyOrzIbd 
scKua4HoVZCPcQklI1cyf+B6rU9Gy2MNQU2ZfByPgcXYuRK21CwD1jin TgDeCw==

;; Query time: 540 msec
;; SERVER: 127.0.0.1#5353(127.0.0.1)
;; WHEN: Fri May 04 18:29:39 CEST 2018
;; MSG SIZE  rcvd: 1092






$ dig +vc +dnssec ds archive.raspberrypi.org -p 5353

; <<>> DiG 9.9.5-9+deb8u15-Raspbian <<>> +vc +dnssec ds archive.raspberrypi.org 
-p 5353
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42559
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;archive.raspberrypi.org.       IN      DS

;; ANSWER SECTION:
archive.raspberrypi.org. 3569   IN      CNAME   lb.raspberrypi.org.
archive.raspberrypi.org. 3569   IN      RRSIG   CNAME 10 3 300 20180528081727 
20180428073456 33908 raspberrypi.org. 
ZjEtTgtRTsfE1WLN2i6zeAKEMPnZozrci7KFW036E3LHD+ddvC8FAV7O 
/9pzyafh2NEYXU2eCgejELSA/xkyId3NHLdZKY1qoC3GCnNd2gPjm9F+ 
uqhvMNecv6XWA7+rXgY7gHBNm0hIZF1pV9CJeROz/ciCMIBIBfyJ3dGG 
jpAzTU7UkRLPJZsNrdPP1ogcEGAwiWEXAj9YsWBzYoeulDGign1fFG5q 
5zzBLOVLlaz2d5cppUu7cGs5r3R97iEpKKK8WB/3+nTgMe2pSdqJDEHG 
QQp8NJeRFHU2RgNjDobKWOo/tA4z5/7jMHUS+FHJnJ3FqbxAbRX+tA44 yn8Tkw==

;; AUTHORITY SECTION:
lb.raspberrypi.org.     3569    IN      NSEC    lb-hex-1.raspberrypi.org. A 
AAAA RRSIG NSEC
lb.raspberrypi.org.     3569    IN      RRSIG   NSEC 10 3 3600 20180528082714 
20180428073456 33908 raspberrypi.org. 
AzPZCiJ3PmC9LtutcnYk0/jt9b2SIrUhIJKyzT2DwqLQXs7jYz5iPZAX 
lKU0bjnHX/2qYOIaI+PYCq6Nz5UmkzMT/OK7op2iHY4J/j96v6JsAQS6 
RrKBE41lUEbdqZAkmidNn/S8eaA26ucI89ZutB0mL0MBhCb49sCN8kbu 
mqvk2Z2ttMIqzgcwjhaRnLJO+Vbkm6kANAYt/V3wJOtktF3dpClP/wur 
zSOzDwcwDly+ceoaYXSc8HhPm3JHjQrjYZiM5mZbdAM0YKH+8skMj95i 
8PrmZ79UnCkbgdOTfh6qrDQeNx8Q3HtgIY/8zw10qYuqaN44hBN7jSBW bTAFcw==
raspberrypi.org.        3569    IN      SOA     ns2.mythic-beasts.com. 
hostmaster.mythic-beasts.com. 2010014918 21600 7200 604800 3600
raspberrypi.org.        3569    IN      RRSIG   SOA 10 2 86400 20180603162813 
20180504152813 33908 raspberrypi.org. 
khxJzk4RX08tVBWRIVldkXAheDNY+Twpw7sUmpEA3i8ngcl25CGgABAA 
Kjdg/gNHnhQ9i4ZwXmCjhjawTquPWClxLSLAhiAw051XDUs8zjFUa0yh 
BoFSZ2wnem6YNRWN8iskLwH5HczbauzYYb8/KQpRIBWBoBM6tlAaRFsX 
pj26ZswuDINiC8RoPaf13NmtTFhl51fNJfLXQgruQbPixRxh5+7ERQTk 
MMa7GlQvWusSxDXJ3P7wlucn6Y7ZbifYonK2RUP6vXb163hdNyOrzIbd 
scKua4HoVZCPcQklI1cyf+B6rU9Gy2MNQU2ZfByPgcXYuRK21CwD1jin TgDeCw==

;; Query time: 143 msec
;; SERVER: 127.0.0.1#5353(127.0.0.1)
;; WHEN: Fri May 04 18:30:10 CEST 2018
;; MSG SIZE  rcvd: 1092
_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Reply via email to