On 04/05/18 17:32, Dominik wrote: > Dear Simon, > > good to hear this! > SERVFAIL logging will be useful for a few things (mostly troubleshooting).
I just pushed a patch into git to make this happen. > > I attach the output of the two commands you asked me to run (port 5353 > is my local unbound, port 53 is dnsmasq). > Thanks. It's not the smoking gun, but it is more data. Cheers, Simon. > Best, > Dominik > > > On 04.05.2018 16:35, Simon Kelley wrote: >> It could certainly be added, and would be useful thing to do. >> >> I'm actually more interested in the wrong/strange behaviour you mention, >> since there's some evidence of this, and it seems to be problems with >> the answers from upstream servers, but we can't identify which servers >> are causing the problem. >> >> Please could you try the following two queries _to_your_unbound_server_ >> and report the results? >> >> >> dig +dnssec ds archive.raspberrypi.org >> >> >> dig +vc +dnssec ds archive.raspberrypi.org >> >> >> >> Cheers, >> >> Simon. >> >> >> On 28/04/18 10:40, Dominik wrote: >>> Dear dnsmasq list members, >>> >>> I'm running an unbound recursive DNS server. It is the only forwarding >>> destination of my local dnsmasq instance. The unbound resolver is aware >>> of DNSSEC and handles it well. I have NOT enabled DNSSEC support in >>> dnsmasq itself, as it was sometimes giving wrong/strange behavior (the >>> same domains were sometimes SECURE, sometimes BOGUS). I'm running >>> dnsmasq 2.79. >>> >>> If I query a BOGUS domain directly from my unbound resolver (e.g., dig >>> www.dnssec-failed.org), I'm getting a SERVFAIL response. dnsmasq simply >>> forwards this SERVFAIL to the requesting client and hence they are >>> protected against BOGUS domain records just as expected. >>> >>> However, looking into dnsmasq's log file, I only see >>> >>> Apr 28 11:36:13 dnsmasq: 132 192.168.2.209/43506 query[A] >>> www.dnssec-failed.org from 192.168.2.209 >>> Apr 28 11:36:13 dnsmasq: 132 192.168.2.209/43506 forwarded >>> www.dnssec-failed.org to 127.0.0.1 >>> >>> The SERVFAIL event is never logged. >>> >>> Could this be added without too much effort? >>> >>> Best regards, >>> Dominik >>> >>> >>> _______________________________________________ >>> Dnsmasq-discuss mailing list >>> Dnsmasqemail@example.com >>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss >>> >> >> _______________________________________________ >> Dnsmasq-discuss mailing list >> Dnsmasqfirstname.lastname@example.org >> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > > > > > _______________________________________________ > Dnsmasq-discuss mailing list > Dnsmasqemail@example.com > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > _______________________________________________ Dnsmasq-discuss mailing list Dnsmasqfirstname.lastname@example.org http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss